Loading ...

Analysis Report mFz2QmQMh5.exe

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:115449
Start date:08.03.2019
Start time:22:35:44
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 21m 9s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:mFz2QmQMh5.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:40
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:1
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal76.rans.phis.spyw.evad.winEXE@43/139@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 11.5% (good quality ratio 11%)
  • Quality average: 71.5%
  • Quality standard deviation: 27.4%
HCA Information:
  • Successful, ratio: 80%
  • Number of executed functions: 87
  • Number of non-executed functions: 251
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Max analysis timeout: 720s exceeded, the analysis took too long
  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, RuntimeBroker.exe, wermgr.exe, ShellExperienceHost.exe, conhost.exe, CompatTelRunner.exe, mobsync.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtEnumerateKey calls found.
  • Report size getting too big, too many NtEnumerateValueKey calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtOpenKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold760 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLProcess Injection311Masquerading1Input Capture11Process Discovery1Application Deployment SoftwareInput Capture11Data CompressedStandard Cryptographic Protocol2
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesProcess Injection311Network SniffingSecurity Software Discovery141Remote ServicesMan in the Browser1Exfiltration Over Other Network MediumFallback Channels
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionObfuscated Files or Information2Input CaptureFile and Directory Discovery11Windows Remote ManagementData from Local System1Automated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesSystem Information Discovery43Logon ScriptsInput CaptureData EncryptedMultiband Communication

Signature Overview

Click to jump to signature section


Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008BAA10 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8,CryptAcquireContextA,___std_exception_copy,0_2_008BAA10
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008BB0A0 CryptReleaseContext,0_2_008BB0A0
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008BB170 CryptGenRandom,CryptReleaseContext,__CxxThrowException@8,0_2_008BB170
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008BAB70 CryptAcquireContextA,GetLastError,CryptReleaseContext,0_2_008BAB70
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008BAFD0 CryptGenRandom,CryptReleaseContext,__CxxThrowException@8,0_2_008BAFD0
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008BAF00 CryptReleaseContext,0_2_008BAF00
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008BAF40 CryptGenRandom,__CxxThrowException@8,0_2_008BAF40
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008BAA10 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8,CryptAcquireContextA,___std_exception_copy,4_1_008BAA10
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008BB0A0 CryptReleaseContext,4_1_008BB0A0
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008BB170 CryptGenRandom,CryptReleaseContext,__CxxThrowException@8,4_1_008BB170
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008BAB70 CryptAcquireContextA,GetLastError,CryptReleaseContext,4_1_008BAB70
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008BAFD0 CryptGenRandom,CryptReleaseContext,__CxxThrowException@8,4_1_008BAFD0
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008BAF00 CryptReleaseContext,4_1_008BAF00
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008BAF40 CryptGenRandom,__CxxThrowException@8,4_1_008BAF40
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 5_2_008BB0A0 CryptReleaseContext,5_2_008BB0A0
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 5_2_008BB170 CryptGenRandom,CryptReleaseContext,__CxxThrowException@8,5_2_008BB170
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 5_2_008BAA10 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8,CryptAcquireContextA,___std_exception_copy,5_2_008BAA10
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 5_2_008BAB70 CryptAcquireContextA,GetLastError,CryptReleaseContext,5_2_008BAB70

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\microsoft.system.package.metadata\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile opened: C:\Program Files\WindowsApps\Deleted\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\AppTiles\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\Jump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_00911807 FindFirstFileExA,0_2_00911807
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_00897710 FindFirstFileW,GetLastError,GetLastError,GetLastError,GetLastError,0_2_00897710
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_00897710 FindFirstFileW,GetLastError,GetLastError,GetLastError,GetLastError,4_1_00897710
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_00911807 FindFirstFileExA,4_1_00911807
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 5_2_00897710 FindFirstFileW,GetLastError,GetLastError,GetLastError,GetLastError,5_2_00897710
Contains functionality to query local drivesShow sources
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_0084DB50 GetLogicalDriveStringsW,GetDriveTypeW,GetDriveTypeW,0_2_0084DB50

Networking:

barindex
Found strings which match to known social media urlsShow sources
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: <SuggestionsURL>http://ie.search.yahoo.com/os?command={SearchTerms}</SuggestionsURL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: <FavoriteIcon>http://search.yahoo.co.jp/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: <FavoriteIcon>http://search.yahoo.com/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: <URL>http://br.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: <URL>http://de.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: <URL>http://es.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: <URL>http://espanol.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: <URL>http://fr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: <URL>http://in.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: <URL>http://it.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: <URL>http://kr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: <URL>http://ru.search.yahoo.com</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: <URL>http://sads.myspace.com/</URL> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: <URL>http://search.cn.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: <URL>http://search.yahoo.co.jp</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: <URL>http://search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: <URL>http://tw.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: <URL>http://uk.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000011.00000000.6755348885.000000000FDE0000.00000002.sdmpString found in binary or memory: Free Hotmail.url equals www.hotmail.com (Hotmail)
Source: SearchUI.exe, 00000023.00000000.8192444323.000001504DE2A000.00000004.sdmpString found in binary or memory: hotmail equals www.hotmail.com (Hotmail)
Urls found in memory or binary dataShow sources
Source: explorer.exe, 00000011.00000000.6755348885.000000000FDE0000.00000002.sdmpString found in binary or memory: http://%s.com
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000011.00000000.6755348885.000000000FDE0000.00000002.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
Source: mFz2QmQMh5.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: mFz2QmQMh5.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000011.00000000.6697478179.000000000BC96000.00000002.sdmp, SearchUI.exe, 00000023.00000000.8953396717.0000015052846000.00000002.sdmpString found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: mFz2QmQMh5.exeString found in binary or memory: http://ocsp.sectigo.com0
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://price.ru/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://sads.myspace.com/
Source: SearchUI.exe, 00000023.00000000.8192444323.000001504DE2A000.00000004.sdmpString found in binary or memory: http://schema.org/reminder
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000011.00000000.6755348885.000000000FDE0000.00000002.sdmpString found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://udn.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000011.00000000.6755348885.000000000FDE0000.00000002.sdmpString found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000011.00000000.6047419303.00000000007B0000.00000002.sdmpString found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6697478179.000000000BC96000.00000002.sdmp, SearchUI.exe, 00000023.00000000.8953396717.0000015052846000.00000002.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000011.00000000.6723747431.000000000EC10000.00000004.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6697478179.000000000BC96000.00000002.sdmp, SearchUI.exe, 00000023.00000000.8953396717.0000015052846000.00000002.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6697478179.000000000BC96000.00000002.sdmp, SearchUI.exe, 00000023.00000000.8953396717.0000015052846000.00000002.sdmpString found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000011.00000000.6697478179.000000000BC96000.00000002.sdmp, SearchUI.exe, 00000023.00000000.8953396717.0000015052846000.00000002.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000011.00000000.6697478179.000000000BC96000.00000002.sdmp, SearchUI.exe, 00000023.00000000.8953396717.0000015052846000.00000002.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000011.00000000.6697478179.000000000BC96000.00000002.sdmp, SearchUI.exe, 00000023.00000000.8953396717.0000015052846000.00000002.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000011.00000000.6697478179.000000000BC96000.00000002.sdmp, SearchUI.exe, 00000023.00000000.8953396717.0000015052846000.00000002.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6697478179.000000000BC96000.00000002.sdmp, SearchUI.exe, 00000023.00000000.8953396717.0000015052846000.00000002.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000011.00000000.6697478179.000000000BC96000.00000002.sdmp, SearchUI.exe, 00000023.00000000.8953396717.0000015052846000.00000002.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000011.00000000.6697478179.000000000BC96000.00000002.sdmp, SearchUI.exe, 00000023.00000000.8953396717.0000015052846000.00000002.sdmpString found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000011.00000000.6697478179.000000000BC96000.00000002.sdmp, SearchUI.exe, 00000023.00000000.8953396717.0000015052846000.00000002.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: SearchUI.exe, 00000023.00000000.8953396717.0000015052846000.00000002.sdmpString found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000011.00000000.6697478179.000000000BC96000.00000002.sdmp, SearchUI.exe, 00000023.00000000.8953396717.0000015052846000.00000002.sdmpString found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6697478179.000000000BC96000.00000002.sdmp, SearchUI.exe, 00000023.00000000.8953396717.0000015052846000.00000002.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
Source: explorer.exe, 00000011.00000000.6758734791.000000000FED3000.00000002.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
Source: SearchUI.exe, 00000023.00000000.8185651191.000001504DE13000.00000004.sdmpString found in binary or memory: https://pf.directory.live.com/profile/profile.asmxgram
Source: mFz2QmQMh5.exeString found in binary or memory: https://sectigo.com/CPS0C
Source: SearchUI.exe, 00000023.00000000.8288804886.000001504DF8C000.00000004.sdmpString found in binary or memory: https://www.bing.c
Source: SearchUI.exe, 00000023.00000000.8288804886.000001504DF8C000.00000004.sdmpString found in binary or memory: https://www.bing.c-

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)Show sources
Source: yxugwjud3784.exe, 00000004.00000003.5190487474.0000000003384000.00000004.sdmpBinary or memory string: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_WinAPI_RegisterRawInputDevices.au3

Spam, unwanted Advertisements and Ransom Demands:

barindex
Modifies existing user documents (likely ransomware behavior)Show sources
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile moved: C:\Users\user\Desktop\TQDFJHPUIU.xlsxJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile moved: C:\Users\user\Desktop\GIGIYTFFYT\GIGIYTFFYT.docxJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile moved: C:\Users\user\Desktop\EWZCVGNOWT.xlsxJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile moved: C:\Users\user\Desktop\EIVQSAOTAQ\EWZCVGNOWT.xlsxJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile moved: C:\Users\user\Desktop\GIGIYTFFYT\TQDFJHPUIU.xlsxJump to behavior
Writes a notice file (html or txt) to demand a ransomShow sources
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeFile dropped: C:\Users\Public\Desktop\README_LOCKED.txt -> decryptor etc.will lead to irreversible destruction of your data.to confirm our honest intentions.send us 2-3 different random files and you will get them decrypted.it can be from different computers on your network to be sure that our decoder decrypts everything.sample files we unlock for free (files should not be related to any kind of backups).we exclusively have decryption software for your situationdo not reset or shutdown - files may be damaged.do not rename the encrypted files.do not move the encrypted files.this may lead to the impossibility of recovery of the certain files.the payment has to be made in bitcoins.the final price depends on how fast you contact us.as soon as we receive the payment you will get the decryption tool andinstructions on how to improve your systems securityto get information on the price of the decoder contact us at:suzumcpherson@protonmail.comasuxidoruraep1999@o2.pl
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile dropped: C:\Users\Public\Desktop\README_LOCKED.txt -> decryptor etc.will lead to irreversible destruction of your data.to confirm our honest intentions.send us 2-3 different random files and you will get them decrypted.it can be from different computers on your network to be sure that our decoder decrypts everything.sample files we unlock for free (files should not be related to any kind of backups).we exclusively have decryption software for your situationdo not reset or shutdown - files may be damaged.do not rename the encrypted files.do not move the encrypted files.this may lead to the impossibility of recovery of the certain files.the payment has to be made in bitcoins.the final price depends on how fast you contact us.as soon as we receive the payment you will get the decryption tool andinstructions on how to improve your systems securityto get information on the price of the decoder contact us at:suzumcpherson@protonmail.comasuxidoruraep1999@o2.pl
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile dropped: C:\Users\Public\Desktop\README_LOCKED.txt -> decryptor etc.will lead to irreversible destruction of your data.to confirm our honest intentions.send us 2-3 different random files and you will get them decrypted.it can be from different computers on your network to be sure that our decoder decrypts everything.sample files we unlock for free (files should not be related to any kind of backups).we exclusively have decryption software for your situationdo not reset or shutdown - files may be damaged.do not rename the encrypted files.do not move the encrypted files.this may lead to the impossibility of recovery of the certain files.the payment has to be made in bitcoins.the final price depends on how fast you contact us.as soon as we receive the payment you will get the decryption tool andinstructions on how to improve your systems securityto get information on the price of the decoder contact us at:suzumcpherson@protonmail.comasuxidoruraep1999@o2.pl
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile dropped: C:\Users\Public\Desktop\README_LOCKED.txt -> decryptor etc.will lead to irreversible destruction of your data.to confirm our honest intentions.send us 2-3 different random files and you will get them decrypted.it can be from different computers on your network to be sure that our decoder decrypts everything.sample files we unlock for free (files should not be related to any kind of backups).we exclusively have decryption software for your situationdo not reset or shutdown - files may be damaged.do not rename the encrypted files.do not move the encrypted files.this may lead to the impossibility of recovery of the certain files.the payment has to be made in bitcoins.the final price depends on how fast you contact us.as soon as we receive the payment you will get the decryption tool andinstructions on how to improve your systems securityto get information on the price of the decoder contact us at:suzumcpherson@protonmail.comasuxidoruraep1999@o2.pl
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile dropped: C:\Users\Public\Desktop\README_LOCKED.txt -> decryptor etc.will lead to irreversible destruction of your data.to confirm our honest intentions.send us 2-3 different random files and you will get them decrypted.it can be from different computers on your network to be sure that our decoder decrypts everything.sample files we unlock for free (files should not be related to any kind of backups).we exclusively have decryption software for your situationdo not reset or shutdown - files may be damaged.do not rename the encrypted files.do not move the encrypted files.this may lead to the impossibility of recovery of the certain files.the payment has to be made in bitcoins.the final price depends on how fast you contact us.as soon as we receive the payment you will get the decryption tool andinstructions on how to improve your systems securityto get information on the price of the decoder contact us at:suzumcpherson@protonmail.comasuxidoruraep1999@o2.pl
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile dropped: C:\Users\Public\Desktop\README_LOCKED.txt -> decryptor etc.will lead to irreversible destruction of your data.to confirm our honest intentions.send us 2-3 different random files and you will get them decrypted.it can be from different computers on your network to be sure that our decoder decrypts everything.sample files we unlock for free (files should not be related to any kind of backups).we exclusively have decryption software for your situationdo not reset or shutdown - files may be damaged.do not rename the encrypted files.do not move the encrypted files.this may lead to the impossibility of recovery of the certain files.the payment has to be made in bitcoins.the final price depends on how fast you contact us.as soon as we receive the payment you will get the decryption tool andinstructions on how to improve your systems securityto get information on the price of the decoder contact us at:suzumcpherson@protonmail.comasuxidoruraep1999@o2.plJump to dropped file

System Summary:

barindex
Abnormal high CPU UsageShow sources
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess Stats: CPU usage > 98%
Contains functionality to communicate with device driversShow sources
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008981B0: CreateFileW,DeviceIoControl,CloseHandle,0_2_008981B0
Creates files inside the system directoryShow sources
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\Windows\AppCompat\Programs\Amcache.hve.tmp
Creates mutexesShow sources
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5052
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3828
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3300
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2864:120:WilError_01
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008B82B70_2_008B82B7
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008582C00_2_008582C0
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_009083510_2_00908351
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008B84DB0_2_008B84DB
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008945800_2_00894580
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008806500_2_00880650
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008B46700_2_008B4670
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008B89250_2_008B8925
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008C0CC00_2_008C0CC0
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008B8DBF0_2_008B8DBF
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_00914F360_2_00914F36
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008C10800_2_008C1080
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008E10400_2_008E1040
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008F50550_2_008F5055
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008A51900_2_008A5190
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008F17200_2_008F1720
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008B57400_2_008B5740
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008A19D00_2_008A19D0
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008C19500_2_008C1950
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_0087DA300_2_0087DA30
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008A1BE00_2_008A1BE0
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_00895E900_2_00895E90
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008A1E600_2_008A1E60
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008DE0BA0_2_008DE0BA
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008A20300_2_008A2030
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008721700_2_00872170
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008A63100_2_008A6310
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008C26C00_2_008C26C0
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008DE8A00_2_008DE8A0
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008FE8DB0_2_008FE8DB
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008F29530_2_008F2953
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008C2AA00_2_008C2AA0
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_00892A000_2_00892A00
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_00902CA00_2_00902CA0
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008F2CC50_2_008F2CC5
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_0084EC700_2_0084EC70
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_0086ADB00_2_0086ADB0
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_00872FC00_2_00872FC0
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008C2F000_2_008C2F00
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008F2F6F0_2_008F2F6F
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008F32360_2_008F3236
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008F34F10_2_008F34F1
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008E34380_2_008E3438
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_0088B4500_2_0088B450
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008B756A0_2_008B756A
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008B75770_2_008B7577
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008C79840_2_008C7984
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008B79120_2_008B7912
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_0084EC704_1_0084EC70
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008DE0BA4_1_008DE0BA
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008A20304_1_008A2030
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008721704_1_00872170
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008B82B74_1_008B82B7
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008582C04_1_008582C0
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008A63104_1_008A6310
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_009083514_1_00908351
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008B84DB4_1_008B84DB
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008945804_1_00894580
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008C26C04_1_008C26C0
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008806504_1_00880650
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008B46704_1_008B4670
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008DE8A04_1_008DE8A0
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008B89254_1_008B8925
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008F29534_1_008F2953
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008C2AA04_1_008C2AA0
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_00892A004_1_00892A00
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_00902CA04_1_00902CA0
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008C0CC04_1_008C0CC0
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008B8DBF4_1_008B8DBF
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_0086ADB04_1_0086ADB0
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_00872FC04_1_00872FC0
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008C2F004_1_008C2F00
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_00914F364_1_00914F36
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008C10804_1_008C1080
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008E10404_1_008E1040
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008F50554_1_008F5055
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008A51904_1_008A5190
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008E34384_1_008E3438
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_0088B4504_1_0088B450
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008B756A4_1_008B756A
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008B75774_1_008B7577
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008F17204_1_008F1720
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008B57404_1_008B5740
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008C79844_1_008C7984
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008A19D04_1_008A19D0
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008B79124_1_008B7912
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008FB9564_1_008FB956
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008C19504_1_008C1950
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008939604_1_00893960
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_0090F9794_1_0090F979
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_0087DA304_1_0087DA30
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008A1BE04_1_008A1BE0
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_00895E904_1_00895E90
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008A1E604_1_008A1E60
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 5_2_008A20305_2_008A2030
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 5_2_008F50555_2_008F5055
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 5_2_008FB9565_2_008FB956
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 5_2_008F29535_2_008F2953
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 5_2_008721705_2_00872170
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 5_2_008462205_2_00846220
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 5_2_0087DA305_2_0087DA30
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 5_2_009083515_2_00908351
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 5_2_008A0B505_2_008A0B50
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 5_2_00902CA05_2_00902CA0
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 5_2_00848C705_2_00848C70
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 5_2_008C26C05_2_008C26C0
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 5_2_00872FC05_2_00872FC0
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 5_2_00914F365_2_00914F36
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 5_2_008F17205_2_008F1720
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: String function: 008DAD22 appears 66 times
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: String function: 008DB020 appears 51 times
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: String function: 008DACEE appears 161 times
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: String function: 008DA1BA appears 60 times
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: String function: 00855470 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: String function: 008FFB85 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: String function: 008DAD22 appears 65 times
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: String function: 008F4A56 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: String function: 008DB020 appears 73 times
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: String function: 008DACEE appears 137 times
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: String function: 00855470 appears 64 times
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: String function: 0090C001 appears 34 times
One or more processes crashShow sources
Source: unknownProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 488 -p 3828 -ip 3828
Sample file is different than original file name gathered from version infoShow sources
Source: mFz2QmQMh5.exe, 00000000.00000000.4870726761.0000000000967000.00000002.sdmpBinary or memory string: OriginalFilenameyxugwjudB vs mFz2QmQMh5.exe
Source: mFz2QmQMh5.exeBinary or memory string: OriginalFilenameyxugwjudB vs mFz2QmQMh5.exe
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeSection loaded: wow64log.dll
Source: C:\Windows\System32\WerFault.exeSection loaded: sfc.dll
Source: C:\Windows\System32\WerFault.exeSection loaded: phoneinfo.dll
Source: C:\Windows\System32\WerFault.exeSection loaded: flightsettings.dll
Source: C:\Windows\System32\WerFault.exeSection loaded: bcd.dll
Source: C:\Windows\System32\WerFault.exeSection loaded: flightsettings.dll
Source: C:\Windows\System32\WerFault.exeSection loaded: bcd.dll
Source: C:\Windows\System32\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\System32\WerFault.exeSection loaded: flightsettings.dll
Source: C:\Windows\System32\WerFault.exeSection loaded: bcd.dll
Source: C:\Windows\System32\WerFault.exeSection loaded: flightsettings.dll
Source: C:\Windows\System32\WerFault.exeSection loaded: bcd.dll
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeSection loaded: wow64log.dll
Source: C:\Windows\explorer.exeSection loaded: cryptngc.dll
Source: C:\Windows\explorer.exeSection loaded: syncreg.dll
Source: C:\Windows\explorer.exeSection loaded: wscinterop.dll
Source: C:\Windows\explorer.exeSection loaded: portabledeviceapi.dll
Source: C:\Windows\explorer.exeSection loaded: synccenter.dll
Source: C:\Windows\explorer.exeSection loaded: imapi2.dll
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: wow64log.dll
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dll
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: wow64log.dll
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeSection loaded: wow64log.dll
Classification labelShow sources
Source: classification engineClassification label: mal76.rans.phis.spyw.evad.winEXE@43/139@0/0
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_00851D30 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,0_2_00851D30
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_00851D30 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,4_1_00851D30
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_0084C3F0 CoCreateInstance,0_2_0084C3F0
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeFile created: C:\Users\Public\Desktop\README_LOCKED.txtJump to behavior
Creates temporary filesShow sources
Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER261A.tmp
Launches a second explorer.exe instanceShow sources
Source: unknownProcess created: C:\Windows\explorer.exe
PE file has an executable .text section and no other executable sectionShow sources
Source: mFz2QmQMh5.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Windows\explorer.exeFile read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Reads software policiesShow sources
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample might require command line arguments (.Net)Show sources
Source: mFz2QmQMh5.exeString found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\mFz2QmQMh5.exe 'C:\Users\user\Desktop\mFz2QmQMh5.exe'
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c move /y C:\Users\user\Desktop\mFz2QmQMh5.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -m
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -i Global\SM-yxugwjud -s
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -i Global\SM-yxugwjud -s
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -i Global\SM-yxugwjud -s
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -i Global\SM-yxugwjud -s
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -i Global\SM-yxugwjud -s
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -i Global\SM-yxugwjud -s
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -i Global\SM-yxugwjud -s
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -i Global\SM-yxugwjud -s
Source: unknownProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 488 -p 3828 -ip 3828
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -i Global\SM-yxugwjud -s
Source: unknownProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3828 -s 3408
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -i Global\SM-yxugwjud -s
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -i Global\SM-yxugwjud -s
Source: unknownProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3828 -s 3408
Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 704
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 736
Source: unknownProcess created: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe unknown
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -i Global\SM-yxugwjud -s
Source: unknownProcess created: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe 'C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe' -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c move /y C:\Users\user\Desktop\mFz2QmQMh5.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeJump to behavior
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -mJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -i Global\SM-yxugwjud -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -i Global\SM-yxugwjud -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -i Global\SM-yxugwjud -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -i Global\SM-yxugwjud -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -i Global\SM-yxugwjud -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -i Global\SM-yxugwjud -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -i Global\SM-yxugwjud -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -i Global\SM-yxugwjud -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -i Global\SM-yxugwjud -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -i Global\SM-yxugwjud -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -i Global\SM-yxugwjud -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -i Global\SM-yxugwjud -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess created: unknown unknown
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3828 -s 3408
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0bf754aa-c967-445c-ab3d-d8fda9bae7ef}\InProcServer32
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Submission file is bigger than most known malware samplesShow sources
Source: mFz2QmQMh5.exeStatic file information: File size 1254264 > 1048576
PE file contains a mix of data directories often seen in goodwareShow sources
Source: mFz2QmQMh5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: mFz2QmQMh5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: mFz2QmQMh5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: mFz2QmQMh5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: mFz2QmQMh5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: mFz2QmQMh5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: mFz2QmQMh5.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: mFz2QmQMh5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: LoggingPlatform64.pdb source: explorer.exe, 00000011.00000000.6828725961.00007FFBA8871000.00000002.sdmp
Source: Binary string: msvcp120.amd64.pdb source: explorer.exe, 00000011.00000000.6826546905.00007FFBA70D5000.00000002.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000011.00000000.6717406228.000000000DE90000.00000002.sdmp
Source: Binary string: LoggingPlatform64.pdb"" source: explorer.exe, 00000011.00000000.6828725961.00007FFBA8871000.00000002.sdmp
Source: Binary string: msvcr120.amd64.pdb source: explorer.exe, 00000011.00000000.6823049506.00007FFBA7038000.00000002.sdmp
Source: Binary string: FileSyncShell64.pdbII" source: explorer.exe, 00000011.00000000.6806529595.00007FFBA5405000.00000002.sdmp
Source: Binary string: FileSyncShell64.pdb source: explorer.exe, 00000011.00000000.6806529595.00007FFBA5405000.00000002.sdmp
Source: Binary string: oledb32.pdbUGP source: explorer.exe, 00000011.00000000.6831583611.00007FFBBE95A000.00000002.sdmp
Source: Binary string: oledb32.pdb source: explorer.exe, 00000011.00000000.6831583611.00007FFBBE95A000.00000002.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000011.00000000.6717406228.000000000DE90000.00000002.sdmp
PE file contains a valid data directory to section mappingShow sources
Source: mFz2QmQMh5.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: mFz2QmQMh5.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: mFz2QmQMh5.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: mFz2QmQMh5.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: mFz2QmQMh5.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008E9707 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_008E9707
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008DACB7 push ecx; ret 0_2_008DACCA
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008DB066 push ecx; ret 0_2_008DB079
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008DACB7 push ecx; ret 4_1_008DACCA
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008DB066 push ecx; ret 4_1_008DB079
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 5_2_008DB066 push ecx; ret 5_2_008DB079
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 5_2_008DACB7 push ecx; ret 5_2_008DACCA

Persistence and Installation Behavior:

barindex
Creates license or readme fileShow sources
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeFile created: C:\Users\Public\Desktop\README_LOCKED.txtJump to behavior

Boot Survival:

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)Show sources
Source: C:\Windows\explorer.exeWindow found: window name: Progman

Hooking and other Techniques for Hiding and Protection:

barindex
Moves itself to temp directoryShow sources
Source: c:\users\user\desktop\mfz2qmqmh5.exeFile moved: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeJump to behavior
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008C7984 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_008C7984
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Enumerates the file systemShow sources
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\microsoft.system.package.metadata\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile opened: C:\Program Files\WindowsApps\Deleted\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\AppTiles\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeWindow / User API: threadDelayed 1550Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeWindow / User API: threadDelayed 1426Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeWindow / User API: threadDelayed 1133Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeWindow / User API: threadDelayed 1366Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeWindow / User API: threadDelayed 355Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeWindow / User API: threadDelayed 825Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeWindow / User API: threadDelayed 876
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeWindow / User API: threadDelayed 474
Found evasive API chain (date check)Show sources
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_4-81817
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeAPI coverage: 7.0 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe TID: 3844Thread sleep count: 1550 > 30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe TID: 3844Thread sleep count: 110 > 30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe TID: 3844Thread sleep count: 63 > 30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe TID: 1868Thread sleep count: 1426 > 30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe TID: 1868Thread sleep count: 90 > 30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe TID: 1868Thread sleep count: 66 > 30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe TID: 4396Thread sleep count: 1133 > 30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe TID: 4396Thread sleep count: 69 > 30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe TID: 3700Thread sleep count: 1366 > 30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe TID: 3700Thread sleep count: 110 > 30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe TID: 3988Thread sleep count: 355 > 30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe TID: 3468Thread sleep count: 82 > 30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe TID: 3164Thread sleep count: 825 > 30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe TID: 3164Thread sleep count: 48 > 30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe TID: 1872Thread sleep count: 876 > 30
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe TID: 1872Thread sleep count: 45 > 30
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe TID: 3424Thread sleep count: 474 > 30
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe TID: 3424Thread sleep count: 43 > 30
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe TID: 3328Thread sleep count: 231 > 30
Queries disk information (often used to detect virtual machines)Show sources
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_00911807 FindFirstFileExA,0_2_00911807
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_00897710 FindFirstFileW,GetLastError,GetLastError,GetLastError,GetLastError,0_2_00897710
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_00897710 FindFirstFileW,GetLastError,GetLastError,GetLastError,GetLastError,4_1_00897710
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_00911807 FindFirstFileExA,4_1_00911807
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 5_2_00897710 FindFirstFileW,GetLastError,GetLastError,GetLastError,GetLastError,5_2_00897710
Contains functionality to query local drivesShow sources
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_0084DB50 GetLogicalDriveStringsW,GetDriveTypeW,GetDriveTypeW,0_2_0084DB50
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_00841280 GetSystemInfo,0_2_00841280
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: explorer.exe, 00000011.00000000.6652679586.0000000007790000.00000002.sdmp, yxugwjud3784.exe, 00000016.00000000.7651607932.0000000002D10000.00000002.sdmp, SearchUI.exe, 00000023.00000000.10226391314.0000015054430000.00000002.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: yxugwjud3784.exe, 00000006.00000002.5902077478.0000000000E48000.00000004.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4
Source: explorer.exe, 00000011.00000000.6652679586.0000000007790000.00000002.sdmp, yxugwjud3784.exe, 00000016.00000000.7651607932.0000000002D10000.00000002.sdmp, SearchUI.exe, 00000023.00000000.10226391314.0000015054430000.00000002.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000011.00000000.6652679586.0000000007790000.00000002.sdmp, yxugwjud3784.exe, 00000016.00000000.7651607932.0000000002D10000.00000002.sdmp, SearchUI.exe, 00000023.00000000.10226391314.0000015054430000.00000002.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: yxugwjud3784.exe, 00000005.00000002.5898255019.0000000000AD0000.00000004.sdmp, yxugwjud3784.exe, 0000000F.00000000.8439606080.0000000000D38000.00000004.sdmp, yxugwjud3784.exe, 00000016.00000002.9628405895.0000000000B68000.00000004.sdmp, SearchUI.exe, 00000023.00000000.8771106840.000001504FD59000.00000004.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 00000011.00000000.6652679586.0000000007790000.00000002.sdmp, yxugwjud3784.exe, 00000016.00000000.7651607932.0000000002D10000.00000002.sdmp, SearchUI.exe, 00000023.00000000.10226391314.0000015054430000.00000002.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Queries a list of all running processesShow sources
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for debuggers (devices)Show sources
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\Windows\WinSxS\FileMaps\users_user_appdata_local_temp_e9909ceecd3f6f71.cdf-ms
Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\Windows\WinSxS\FileMaps\$$.cdf-ms
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeSystem information queried: KernelDebuggerInformation
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008FC431 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_008FC431
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008E9707 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_008E9707
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_0090616A mov eax, dword ptr fs:[00000030h]0_2_0090616A
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_0090616A mov eax, dword ptr fs:[00000030h]4_1_0090616A
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 5_2_0090616A mov eax, dword ptr fs:[00000030h]5_2_0090616A
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_00911BF6 GetProcessHeap,0_2_00911BF6
Enables debug privilegesShow sources
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess token adjusted: Debug
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008DB21E SetUnhandledExceptionFilter,0_2_008DB21E
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008FC431 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_008FC431
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008DADCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_008DADCA
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008DB08B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_008DB08B
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008FC431 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_1_008FC431
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008DADCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_1_008DADCA
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008DB08B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_1_008DB08B
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 5_2_008FC431 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_008FC431
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 5_2_008DADCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_008DADCA

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processesShow sources
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\WerFault.exe base: 16426C80000 protect: page read and write
Injects code into the Windows Explorer (explorer.exe)Show sources
Source: C:\Windows\System32\WerFault.exeMemory written: PID: 3828 base: 28B0000 value: 50
Source: C:\Windows\System32\WerFault.exeMemory written: PID: 3828 base: 28B0478 value: 00
Writes to foreign memory regionsShow sources
Source: C:\Windows\System32\WerFault.exeMemory written: C:\Windows\explorer.exe base: 28B0000
Source: C:\Windows\System32\WerFault.exeMemory written: C:\Windows\explorer.exe base: 28B0478
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\WerFault.exe base: 16426C80000
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\WerFault.exe base: 198DA3F2D8
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c move /y C:\Users\user\Desktop\mFz2QmQMh5.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeJump to behavior
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -mJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -i Global\SM-yxugwjud -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -i Global\SM-yxugwjud -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -i Global\SM-yxugwjud -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -i Global\SM-yxugwjud -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -i Global\SM-yxugwjud -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -i Global\SM-yxugwjud -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -i Global\SM-yxugwjud -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -i Global\SM-yxugwjud -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -i Global\SM-yxugwjud -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -i Global\SM-yxugwjud -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -i Global\SM-yxugwjud -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess created: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe C:\Users\user\AppData\Local\Temp\yxugwjud3784.exe -i Global\SM-yxugwjud -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeProcess created: unknown unknownJump to behavior
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_00841230 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,0_2_00841230
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: yxugwjud3784.exe, 0000000F.00000000.8502842941.0000000001420000.00000002.sdmp, SearchUI.exe, 00000023.00000000.8396881087.000001504E460000.00000002.sdmpBinary or memory string: Program Manager
Source: yxugwjud3784.exe, 0000000F.00000000.8502842941.0000000001420000.00000002.sdmp, explorer.exe, 00000011.00000000.6566312328.0000000004900000.00000004.sdmp, yxugwjud3784.exe, 00000012.00000000.7182021838.0000000000E10000.00000002.sdmp, SearchUI.exe, 00000023.00000000.8396881087.000001504E460000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: yxugwjud3784.exe, 0000000F.00000000.8502842941.0000000001420000.00000002.sdmp, explorer.exe, 00000011.00000000.6563149000.0000000004817000.00000004.sdmp, yxugwjud3784.exe, 00000012.00000000.7182021838.0000000000E10000.00000002.sdmp, SearchUI.exe, 00000023.00000000.8396881087.000001504E460000.00000002.sdmpBinary or memory string: Progman
Source: explorer.exe, 00000011.00000000.6848809169.00000000007D0000.00000004.sdmpBinary or memory string: ProgmanC:l
Source: explorer.exe, 00000011.00000000.6180092019.0000000000CB0000.00000002.sdmp, yxugwjud3784.exe, 00000012.00000000.7182021838.0000000000E10000.00000002.sdmpBinary or memory string: Program ManagerUR

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: GetLocaleInfoW,0_2_0091406E
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_0091413B
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: GetLocaleInfoW,0_2_0090C424
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: GetLocaleInfoW,0_2_008D9BD8
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: ___crtGetLocaleInfoEx,0_2_008D9CD1
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00913803
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: GetLocaleInfoW,4_1_0091406E
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,4_1_0091413B
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: GetLocaleInfoW,4_1_0090C424
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,4_1_00913803
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: EnumSystemLocalesW,4_1_00913AC6
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: EnumSystemLocalesW,4_1_00913A7B
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: GetLocaleInfoW,4_1_008D9BD8
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,4_1_00913BEE
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: EnumSystemLocalesW,4_1_00913B61
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: ___crtGetLocaleInfoEx,4_1_008D9CD1
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: GetLocaleInfoW,4_1_00913E3E
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: EnumSystemLocalesW,4_1_0090BF3B
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,4_1_00913F67
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,5_2_00913803
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,5_2_0091413B
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: EnumSystemLocalesW,5_2_00913AC6
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: EnumSystemLocalesW,5_2_00913A7B
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: EnumSystemLocalesW,5_2_00913B61
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: GetLocaleInfoW,5_2_0090C424
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: EnumSystemLocalesW,5_2_0090BF3B
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_00913F67
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008DA7A3 cpuid 0_2_008DA7A3
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\cert9.db VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\Documents\EIVQSAOTAQ.docx VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\Documents\GIGIYTFFYT.docx VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\Documents\EWZCVGNOWT.xlsx VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\Desktop\TQDFJHPUIU.xlsx VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\Desktop\GIGIYTFFYT\TQDFJHPUIU.xlsx VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000003.db VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\AppData\Local\IconCache.db VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Caches\{3391F5B3-9A64-4217-9677-0C781A226494}.2.ver0x0000000000000002.db VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\page_load_capping_opt_out.db VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\Desktop\EIVQSAOTAQ\EIVQSAOTAQ.docx VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\Documents\QCOILOQIKC.pdf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\Documents\EWZCVGNOWT\GIGIYTFFYT.xlsx VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\Desktop\GIGIYTFFYT.docx VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\Desktop\GIGIYTFFYT\GIGIYTFFYT.docx VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.3.db VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{27A99B88-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000000d.db VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\key4.db VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\Documents\KLIZUSIQEN.pdf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\Documents\GIGIYTFFYT\GIGIYTFFYT.docx VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\Desktop\EIVQSAOTAQ.docx VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\Desktop\GIGIYTFFYT.pdf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Caches\{9769B2F7-893A-4541-B3EC-53676975ABE9}.2.ver0x0000000000000002.db VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-DF68D8AF8DD2A31618D3153E051D9824853D99C8.bin.67 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F76193F4-804D-487E-84B3-EF6FC382142D}\mpasbase.vdm VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313_2\OneDriveSetup.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpavdlta.vdm VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F76193F4-804D-487E-84B3-EF6FC382142D}\mpasdlta.vdm VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\Documents\GIGIYTFFYT\TQDFJHPUIU.xlsx VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\Documents\EWZCVGNOWT\EWZCVGNOWT.docx VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\Desktop\EIVQSAOTAQ\GIGIYTFFYT.pdf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\Desktop\EWZCVGNOWT.xlsx VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Caches\{09433F07-F965-4FC4-A950-6CC9E0EF15AA}.2.ver0x0000000000000002.db VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\Desktop\EIVQSAOTAQ\EWZCVGNOWT.xlsx VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\Documents\TQDFJHPUIU.xlsx VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\Documents\EWZCVGNOWT\KLIZUSIQEN.pdf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\Documents\GIGIYTFFYT\QCOILOQIKC.pdf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\Desktop\QCOILOQIKC.pdf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\Desktop\GIGIYTFFYT\QCOILOQIKC.pdf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000000e.db VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000009.db VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Caches\{AB0AE452-CAD2-4B07-95DE-EADB1864850A}.2.ver0x0000000000000001.db VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpavbase.vdm VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\6c4zjj0s.default\cache2\entries\BE5748A821F706A5E07FAA429AD96DDDB7413E35 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\AppData\Local\Temp\tmp83BC.tmp VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-DF68D8AF8DD2A31618D3153E051D9824853D99C8.bin.80 VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\AppData\Local\Temp\tmp6496.tmp VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-DF68D8AF8DD2A31618D3153E051D9824853D99C8.bin.7E VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Caches\{902A20F7-8076-4A94-8321-875ECA5EC89E}.2.ver0x0000000000000001.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\AppData\Local\Temp\tmp6793.tmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpasbase.vdm VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Caches\{81FB1943-02D3-4E92-A40A-1AE4BB7705DA}.2.ver0x0000000000000001.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F76193F4-804D-487E-84B3-EF6FC382142D}\mpavbase.vdm VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-DF68D8AF8DD2A31618D3153E051D9824853D99C8.bin.79 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F76193F4-804D-487E-84B3-EF6FC382142D}\mpavdlta.vdm VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\OneDrive\17.3.6816.0313\OneDriveSetup.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\AppData\Local\Temp\tmpDF8D.tmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F76193F4-804D-487E-84B3-EF6FC382142D}\mpengine.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Caches\{EB881700-C972-4EE9-A051-D0E0E954A061}.2.ver0x0000000000000002.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1801120055.msp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\AppData\Local\Temp\tmp85EF.tmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\Users\user\AppData\Local\Temp\tmpE26C.tmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeQueries volume information: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-DF68D8AF8DD2A31618D3153E051D9824853D99C8.bin.A0 VolumeInformation
Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_0090C48E GetSystemTimeAsFileTime,0_2_0090C48E
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_0091124B _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_0091124B
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008E0D7B GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,__CxxThrowException@8,0_2_008E0D7B
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Overwrites Mozilla Firefox settingsShow sources
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\cert9.db.lockedJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\cert9.db.lockedJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\key4.db.lockedJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\key4.db.lockedJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile written: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\6c4zjj0s.default\cache2\entries\BE5748A821F706A5E07FAA429AD96DDDB7413E35.lockedJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile written: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\6c4zjj0s.default\cache2\entries\BE5748A821F706A5E07FAA429AD96DDDB7413E35.lockedJump to behavior

Stealing of Sensitive Information:

barindex
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile opened: \C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\key4.db.lockedJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\6c4zjj0s.default\cache2\entries\BE5748A821F706A5E07FAA429AD96DDDB7413E35Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.dbJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile opened: \C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\6c4zjj0s.default\cache2\entries\BE5748A821F706A5E07FAA429AD96DDDB7413E35.lockedJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile opened: \C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\cert9.db.lockedJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\cert9.dbJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\page_load_capping_opt_out.dbJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile opened: \C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\page_load_capping_opt_out.db.lockedJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\key4.dbJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile opened: \C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db.lockedJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.dbJump to behavior
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeFile opened: \C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db.lockedJump to behavior

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_00841400 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,0_2_00841400
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008EC372 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,0_2_008EC372
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_00842080 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,0_2_00842080
Source: C:\Users\user\Desktop\mFz2QmQMh5.exeCode function: 0_2_008EB69F Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,0_2_008EB69F
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008EC372 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,4_1_008EC372
Source: C:\Users\user\AppData\Local\Temp\yxugwjud3784.exeCode function: 4_1_008EB69F Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,4_1_008EB69F

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 process2 2 Behavior Graph ID: 115449 Sample: mFz2QmQMh5.exe Startdate: 08/03/2019 Architecture: WINDOWS Score: 76 7 mFz2QmQMh5.exe 1 2->7         started        10 WerFault.exe 2->10         started        12 explorer.exe 2->12         started        14 2 other processes 2->14 signatures3 65 Writes a notice file (html or txt) to demand a ransom 7->65 16 yxugwjud3784.exe 7->16         started        19 cmd.exe 1 7->19         started        67 Injects code into the Windows Explorer (explorer.exe) 10->67 69 Writes to foreign memory regions 10->69 21 explorer.exe 10->21 injected 71 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 12->71 process4 signatures5 57 Writes a notice file (html or txt) to demand a ransom 16->57 23 yxugwjud3784.exe 55 16->23         started        27 yxugwjud3784.exe 55 16->27         started        29 yxugwjud3784.exe 55 16->29         started        37 9 other processes 16->37 59 Moves itself to temp directory 19->59 31 conhost.exe 19->31         started        61 Writes to foreign memory regions 21->61 63 Allocates memory in foreign processes 21->63 33 WerFault.exe 21->33         started        35 WerFault.exe 21->35         started        process6 file7 43 C:\Users\user\AppData\...\key4.db.locked, data