Loading ...

Analysis Report Sample_5c9110cdfb71a9405f18bc2d.bin

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:118361
Start date:22.03.2019
Start time:10:02:47
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 11m 37s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Sample_5c9110cdfb71a9405f18bc2d.bin (renamed file extension from bin to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:41
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal92.rans.phis.spyw.evad.winEXE@352/122@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 11.3% (good quality ratio 10.6%)
  • Quality average: 61.9%
  • Quality standard deviation: 25.2%
HCA Information:
  • Successful, ratio: 91%
  • Number of executed functions: 99
  • Number of non-executed functions: 196
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, wermgr.exe, CompatTelRunner.exe, svchost.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtWriteVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold920 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid Accounts1Windows Remote ManagementValid Accounts1Valid Accounts1Valid Accounts1Input Capture21Network Share Discovery1Application Deployment SoftwareInput Capture21Data CompressedStandard Cryptographic Protocol2
Replication Through Removable MediaService ExecutionPort MonitorsProcess Injection11Process Injection11Input Prompt1Process Discovery1Remote ServicesData from Local System1Exfiltration Over Other Network MediumFallback Channels
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionObfuscated Files or Information2Input CaptureSecurity Software Discovery41Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesFile and Directory Discovery11Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasqueradingAccount ManipulationSystem Information Discovery22Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for submitted fileShow sources
Source: Sample_5c9110cdfb71a9405f18bc2.exeAvira: Label: TR/LockerGoga.qnfzd
Multi AV Scanner detection for submitted fileShow sources
Source: Sample_5c9110cdfb71a9405f18bc2.exevirustotal: Detection: 64%Perma Link
Source: Sample_5c9110cdfb71a9405f18bc2.exemetadefender: Detection: 21%Perma Link

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_2_00FEA250 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8,CryptAcquireContextA,___std_exception_copy,4_2_00FEA250
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_2_00FEA8E0 CryptReleaseContext,4_2_00FEA8E0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_2_00FEA9B0 CryptGenRandom,CryptReleaseContext,__CxxThrowException@8,4_2_00FEA9B0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_1_00FEA250 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8,CryptAcquireContextA,___std_exception_copy,4_1_00FEA250
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_1_00FEA8E0 CryptReleaseContext,4_1_00FEA8E0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_1_00FEA9B0 CryptGenRandom,CryptReleaseContext,__CxxThrowException@8,4_1_00FEA9B0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_00FEA250 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8,CryptAcquireContextA,___std_exception_copy,27_1_00FEA250
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_00FEA8E0 CryptReleaseContext,27_1_00FEA8E0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_00FEA810 ReleaseMutex,CryptGenRandom,CryptReleaseContext,__CxxThrowException@8,27_1_00FEA810
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_00FEA9B0 CryptGenRandom,CryptReleaseContext,__CxxThrowException@8,27_1_00FEA9B0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_00FEA3B0 CryptAcquireContextA,GetLastError,CryptReleaseContext,27_1_00FEA3B0

Phishing:

barindex
Overwrites the password of the administrator accountShow sources
Source: unknownProcess created: C:\Windows\System32\net.exe C:\Windows\system32\net.exe user Administrator HuHuHUHoHo283283@dJD
Source: unknownProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user Administrator HuHuHUHoHo283283@dJD
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Windows\System32\net.exe C:\Windows\system32\net.exe user Administrator HuHuHUHoHo283283@dJDJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Windows\System32\net.exe C:\Windows\system32\net.exe user Administrator HuHuHUHoHo283283@dJDJump to behavior
Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user Administrator HuHuHUHoHo283283@dJDJump to behavior

Spreading:

barindex
Contains functionality to enumerate network sharesShow sources
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_2_00FB5250 NetUserEnum,NetApiBufferFree,NetApiBufferFree,4_2_00FB5250
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_1_00FB5250 NetUserEnum,NetApiBufferFree,NetApiBufferFree,4_1_00FB5250
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_00FB5250 NetUserEnum,NetApiBufferFree,NetApiBufferFree,27_1_00FB5250
Enumerates the file systemShow sources
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeFile opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\microsoft.system.package.metadata\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeFile opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeFile opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeFile opened: C:\Program Files\WindowsApps\Deleted\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeFile opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\AppTiles\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeFile opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\Jump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_2_00FC9970 FindFirstFileW,GetLastError,GetLastError,GetLastError,GetLastError,4_2_00FC9970
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_2_01044A3B FindFirstFileExA,4_2_01044A3B
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_1_00FC9970 FindFirstFileW,GetLastError,GetLastError,GetLastError,GetLastError,4_1_00FC9970
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_00FC9970 FindFirstFileW,GetLastError,GetLastError,GetLastError,GetLastError,27_1_00FC9970
Contains functionality to query local drivesShow sources
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_2_00F7CE90 GetLogicalDriveStringsW,GetDriveTypeW,GetDriveTypeW,4_2_00F7CE90

Networking:

barindex
Urls found in memory or binary dataShow sources
Source: Sample_5c9110cdfb71a9405f18bc2.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: Sample_5c9110cdfb71a9405f18bc2.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: Sample_5c9110cdfb71a9405f18bc2.exeString found in binary or memory: http://ocsp.sectigo.com0
Source: Sample_5c9110cdfb71a9405f18bc2.exeString found in binary or memory: https://sectigo.com/CPS0C

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: Sample_5c9110cdfb71a9405f18bc2d.exe, 00000001.00000002.7426306578.0000000001750000.00000004.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Installs a raw input device (often for capturing keystrokes)Show sources
Source: tgytutrc3413.exe, 00000004.00000003.7690104689.0000000002B97000.00000004.sdmpBinary or memory string: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_WinAPI_RegisterRawInputDevices.au3

Spam, unwanted Advertisements and Ransom Demands:

barindex
Detected suspicious e-Mail address in disassemblyShow sources
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: DharmaParrack@protonmail.comwyattpettigrew8922555@mail.com27_1_00FB13D0
Writes a notice file (html or txt) to demand a ransomShow sources
Source: C:\Users\user\Desktop\Sample_5c9110cdfb71a9405f18bc2d.exeFile dropped: C:\Users\Public\Desktop\README_LOCKED.txt -> decryptor etc.will lead to irreversible destruction of your data.to confirm our honest intentions.send us 2-3 different random files and you will get them decrypted.it can be from different computers on your network to be sure that our decoder decrypts everything.sample files we unlock for free (files should not be related to any kind of backups).we exclusively have decryption software for your situationdo not reset or shutdown - files may be damaged.do not rename the encrypted files.do not move the encrypted files.this may lead to the impossibility of recovery of the certain files.the payment has to be made in bitcoins.the final price depends on how fast you contact us.as soon as we receive the payment you will get the decryption tool andinstructions on how to improve your systems securityto get information on the price of the decoder contact us at:dharmaparrack@protonmail.comwyattpettigrew8922555@mail.com
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeFile dropped: C:\Users\Public\Desktop\README_LOCKED.txt -> decryptor etc.will lead to irreversible destruction of your data.to confirm our honest intentions.send us 2-3 different random files and you will get them decrypted.it can be from different computers on your network to be sure that our decoder decrypts everything.sample files we unlock for free (files should not be related to any kind of backups).we exclusively have decryption software for your situationdo not reset or shutdown - files may be damaged.do not rename the encrypted files.do not move the encrypted files.this may lead to the impossibility of recovery of the certain files.the payment has to be made in bitcoins.the final price depends on how fast you contact us.as soon as we receive the payment you will get the decryption tool andinstructions on how to improve your systems securityto get information on the price of the decoder contact us at:dharmaparrack@protonmail.comwyattpettigrew8922555@mail.com
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeFile dropped: C:\Users\Public\Desktop\README_LOCKED.txt -> decryptor etc.will lead to irreversible destruction of your data.to confirm our honest intentions.send us 2-3 different random files and you will get them decrypted.it can be from different computers on your network to be sure that our decoder decrypts everything.sample files we unlock for free (files should not be related to any kind of backups).we exclusively have decryption software for your situationdo not reset or shutdown - files may be damaged.do not rename the encrypted files.do not move the encrypted files.this may lead to the impossibility of recovery of the certain files.the payment has to be made in bitcoins.the final price depends on how fast you contact us.as soon as we receive the payment you will get the decryption tool andinstructions on how to improve your systems securityto get information on the price of the decoder contact us at:dharmaparrack@protonmail.comwyattpettigrew8922555@mail.com
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeFile dropped: C:\Users\Public\Desktop\README_LOCKED.txt -> decryptor etc.will lead to irreversible destruction of your data.to confirm our honest intentions.send us 2-3 different random files and you will get them decrypted.it can be from different computers on your network to be sure that our decoder decrypts everything.sample files we unlock for free (files should not be related to any kind of backups).we exclusively have decryption software for your situationdo not reset or shutdown - files may be damaged.do not rename the encrypted files.do not move the encrypted files.this may lead to the impossibility of recovery of the certain files.the payment has to be made in bitcoins.the final price depends on how fast you contact us.as soon as we receive the payment you will get the decryption tool andinstructions on how to improve your systems securityto get information on the price of the decoder contact us at:dharmaparrack@protonmail.comwyattpettigrew8922555@mail.com
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeFile dropped: C:\Users\Public\Desktop\README_LOCKED.txt -> decryptor etc.will lead to irreversible destruction of your data.to confirm our honest intentions.send us 2-3 different random files and you will get them decrypted.it can be from different computers on your network to be sure that our decoder decrypts everything.sample files we unlock for free (files should not be related to any kind of backups).we exclusively have decryption software for your situationdo not reset or shutdown - files may be damaged.do not rename the encrypted files.do not move the encrypted files.this may lead to the impossibility of recovery of the certain files.the payment has to be made in bitcoins.the final price depends on how fast you contact us.as soon as we receive the payment you will get the decryption tool andinstructions on how to improve your systems securityto get information on the price of the decoder contact us at:dharmaparrack@protonmail.comwyattpettigrew8922555@mail.com
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeFile dropped: C:\Users\Public\Desktop\README_LOCKED.txt -> decryptor etc.will lead to irreversible destruction of your data.to confirm our honest intentions.send us 2-3 different random files and you will get them decrypted.it can be from different computers on your network to be sure that our decoder decrypts everything.sample files we unlock for free (files should not be related to any kind of backups).we exclusively have decryption software for your situationdo not reset or shutdown - files may be damaged.do not rename the encrypted files.do not move the encrypted files.this may lead to the impossibility of recovery of the certain files.the payment has to be made in bitcoins.the final price depends on how fast you contact us.as soon as we receive the payment you will get the decryption tool andinstructions on how to improve your systems securityto get information on the price of the decoder contact us at:dharmaparrack@protonmail.comwyattpettigrew8922555@mail.com
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeFile dropped: C:\Users\Public\Desktop\README_LOCKED.txt -> decryptor etc.will lead to irreversible destruction of your data.to confirm our honest intentions.send us 2-3 different random files and you will get them decrypted.it can be from different computers on your network to be sure that our decoder decrypts everything.sample files we unlock for free (files should not be related to any kind of backups).we exclusively have decryption software for your situationdo not reset or shutdown - files may be damaged.do not rename the encrypted files.do not move the encrypted files.this may lead to the impossibility of recovery of the certain files.the payment has to be made in bitcoins.the final price depends on how fast you contact us.as soon as we receive the payment you will get the decryption tool andinstructions on how to improve your systems securityto get information on the price of the decoder contact us at:dharmaparrack@protonmail.comwyattpettigrew8922555@mail.com
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeFile dropped: C:\Users\Public\Desktop\README_LOCKED.txt -> decryptor etc.will lead to irreversible destruction of your data.to confirm our honest intentions.send us 2-3 different random files and you will get them decrypted.it can be from different computers on your network to be sure that our decoder decrypts everything.sample files we unlock for free (files should not be related to any kind of backups).we exclusively have decryption software for your situationdo not reset or shutdown - files may be damaged.do not rename the encrypted files.do not move the encrypted files.this may lead to the impossibility of recovery of the certain files.the payment has to be made in bitcoins.the final price depends on how fast you contact us.as soon as we receive the payment you will get the decryption tool andinstructions on how to improve your systems securityto get information on the price of the decoder contact us at:dharmaparrack@protonmail.comwyattpettigrew8922555@mail.com
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeFile dropped: C:\Users\Public\Desktop\README_LOCKED.txt -> decryptor etc.will lead to irreversible destruction of your data.to confirm our honest intentions.send us 2-3 different random files and you will get them decrypted.it can be from different computers on your network to be sure that our decoder decrypts everything.sample files we unlock for free (files should not be related to any kind of backups).we exclusively have decryption software for your situationdo not reset or shutdown - files may be damaged.do not rename the encrypted files.do not move the encrypted files.this may lead to the impossibility of recovery of the certain files.the payment has to be made in bitcoins.the final price depends on how fast you contact us.as soon as we receive the payment you will get the decryption tool andinstructions on how to improve your systems securityto get information on the price of the decoder contact us at:dharmaparrack@protonmail.comwyattpettigrew8922555@mail.com
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeFile dropped: C:\Users\Public\Desktop\README_LOCKED.txt -> decryptor etc.will lead to irreversible destruction of your data.to confirm our honest intentions.send us 2-3 different random files and you will get them decrypted.it can be from different computers on your network to be sure that our decoder decrypts everything.sample files we unlock for free (files should not be related to any kind of backups).we exclusively have decryption software for your situationdo not reset or shutdown - files may be damaged.do not rename the encrypted files.do not move the encrypted files.this may lead to the impossibility of recovery of the certain files.the payment has to be made in bitcoins.the final price depends on how fast you contact us.as soon as we receive the payment you will get the decryption tool andinstructions on how to improve your systems securityto get information on the price of the decoder contact us at:dharmaparrack@protonmail.comwyattpettigrew8922555@mail.com

DDoS:

barindex
Too many similar processes foundShow sources
Source: unknownProcess created: 271
Source: tgytutrc3413.exeProcess created: 48

System Summary:

barindex
Contains functionality to disable network adaptersShow sources
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_00FB38B0 GetAdaptersAddresses,GetAdaptersAddresses,GetAdaptersAddresses,27_1_00FB38B0
Uses logoff.exe to logoff the current userShow sources
Source: unknownProcess created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe 0
Contains functionality to call native functionsShow sources
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_00FAFC60 GetDriveTypeW,ReleaseMutex,GetDriveTypeW,GetFileAttributesExW,NtOpenFile,NtReadFile,NtWriteFile,NtWriteFile,27_1_00FAFC60
Contains functionality to communicate with device driversShow sources
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_2_00FCA410: CreateFileW,DeviceIoControl,CloseHandle,4_2_00FCA410
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4436:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4908:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4932:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1340:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2380:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3240:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2196:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2372:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2324:120:WilError_01
Detected potential crypto functionShow sources
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_2_010141594_2_01014159
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_2_010481664_2_01048166
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_2_00FD40604_2_00FD4060
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_2_00FF40404_2_00FF4040
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_2_00FC81504_2_00FC8150
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_2_00FD42E04_2_00FD42E0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_2_00FD44B04_2_00FD44B0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_2_00FEC4354_2_00FEC435
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_2_00F985B04_2_00F985B0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_2_00FD87904_2_00FD8790
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_2_00FEC8CF4_2_00FEC8CF
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_2_010248304_2_01024830
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_2_00FF49104_2_00FF4910
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_2_00FC4CC04_2_00FC4CC0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_00FF188027_1_00FF1880
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_00FAFC6027_1_00FAFC60
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_00FD2DB027_1_00FD2DB0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_0104816627_1_01048166
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_00FC815027_1_00FC8150
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_0103B2BE27_1_0103B2BE
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_00FD44B027_1_00FD44B0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_00FF56F027_1_00FF56F0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_0102E79627_1_0102E796
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_00FBD7B027_1_00FBD7B0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_00F8785027_1_00F87850
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_00FC684027_1_00FC6840
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_0102483027_1_01024830
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_01035B0027_1_01035B00
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_01025A6327_1_01025A63
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_00FE6B1027_1_00FE6B10
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_00FA6CF027_1_00FA6CF0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_00FC4CC027_1_00FC4CC0
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_00FA7D0027_1_00FA7D00
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_01027FF727_1_01027FF7
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: String function: 0100DE0E appears 66 times
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: String function: 0100E140 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: String function: 00F84B00 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: String function: 0100DE42 appears 31 times
Sample file is different than original file name gathered from version infoShow sources
Source: Sample_5c9110cdfb71a9405f18bc2.exeBinary or memory string: OriginalFilenametgytutrcB vs Sample_5c9110cdfb71a9405f18bc2.exe
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\Sample_5c9110cdfb71a9405f18bc2d.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeSection loaded: wow64log.dll
Binary contains paths to development resourcesShow sources
Source: tgytutrc3413.exe, 00000004.00000002.8652018604.0000000000020000.00000004.sdmpBinary or memory string: C:\Program Files (x86)\AutoIt3\AutoItX\Examples\C++\AutoItX.slnkd/
Source: tgytutrc3413.exe, 00000004.00000002.8652018604.0000000000020000.00000004.sdmpBinary or memory string: C:\Program Files (x86)\AutoIt3\AutoItX\Examples\C++\AutoItX.sln
Classification labelShow sources
Source: classification engineClassification label: mal92.rans.phis.spyw.evad.winEXE@352/122@0/0
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_2_00F81760 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,4_2_00F81760
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_1_00F81760 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,4_1_00F81760
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_00F81760 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,27_1_00F81760
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_00F7B450 CoCreateInstance,27_1_00F7B450
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\Sample_5c9110cdfb71a9405f18bc2d.exeFile created: C:\Users\Public\Desktop\README_LOCKED.txtJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: Sample_5c9110cdfb71a9405f18bc2.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\Sample_5c9110cdfb71a9405f18bc2d.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: Sample_5c9110cdfb71a9405f18bc2.exevirustotal: Detection: 64%
Source: Sample_5c9110cdfb71a9405f18bc2.exemetadefender: Detection: 21%
Sample might require command line arguments (.Net)Show sources
Source: Sample_5c9110cdfb71a9405f18bc2.exeString found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\Sample_5c9110cdfb71a9405f18bc2d.exe 'C:\Users\user\Desktop\Sample_5c9110cdfb71a9405f18bc2d.exe'
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c move /y 'C:\Users\user\Desktop\Sample_5c9110cdfb71a9405f18bc2d.exe' C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -m
Source: unknownProcess created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe 0
Source: unknownProcess created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe 0
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe 0
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe 0
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe 0
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\net.exe C:\Windows\system32\net.exe user Administrator HuHuHUHoHo283283@dJD
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user Administrator HuHuHUHoHo283283@dJD
Source: unknownProcess created: C:\Windows\System32\net.exe C:\Windows\system32\net.exe user 'user' HuHuHUHoHo283283@dJD
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user 'user' HuHuHUHoHo283283@dJD
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s
Source: C:\Users\user\Desktop\Sample_5c9110cdfb71a9405f18bc2d.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c move /y 'C:\Users\user\Desktop\Sample_5c9110cdfb71a9405f18bc2d.exe' C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exeJump to behavior
Source: C:\Users\user\Desktop\Sample_5c9110cdfb71a9405f18bc2d.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -mJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Windows\System32\net.exe C:\Windows\system32\net.exe user Administrator HuHuHUHoHo283283@dJDJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Windows\System32\net.exe C:\Windows\system32\net.exe user 'user' HuHuHUHoHo283283@dJDJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Windows\System32\net.exe C:\Windows\system32\net.exe user Administrator HuHuHUHoHo283283@dJDJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Windows\System32\net.exe C:\Windows\system32\net.exe user 'user' HuHuHUHoHo283283@dJDJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user Administrator HuHuHUHoHo283283@dJDJump to behavior
Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user 'user' HuHuHUHoHo283283@dJDJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Submission file is bigger than most known malware samplesShow sources
Source: Sample_5c9110cdfb71a9405f18bc2.exeStatic file information: File size 1268600 > 1048576
PE file contains a mix of data directories often seen in goodwareShow sources
Source: Sample_5c9110cdfb71a9405f18bc2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Sample_5c9110cdfb71a9405f18bc2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Sample_5c9110cdfb71a9405f18bc2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Sample_5c9110cdfb71a9405f18bc2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Sample_5c9110cdfb71a9405f18bc2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Sample_5c9110cdfb71a9405f18bc2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: Sample_5c9110cdfb71a9405f18bc2.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: Sample_5c9110cdfb71a9405f18bc2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
PE file contains a valid data directory to section mappingShow sources
Source: Sample_5c9110cdfb71a9405f18bc2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Sample_5c9110cdfb71a9405f18bc2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Sample_5c9110cdfb71a9405f18bc2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Sample_5c9110cdfb71a9405f18bc2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Sample_5c9110cdfb71a9405f18bc2.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_2_0101C820 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,4_2_0101C820
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_0100E186 push ecx; ret 27_1_0100E199
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_0100DDD7 push ecx; ret 27_1_0100DDEA

Persistence and Installation Behavior:

barindex
Creates license or readme fileShow sources
Source: C:\Users\user\Desktop\Sample_5c9110cdfb71a9405f18bc2d.exeFile created: C:\Users\Public\Desktop\README_LOCKED.txtJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\Sample_5c9110cdfb71a9405f18bc2d.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found stalling execution ending in API Sleep callShow sources
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeStalling execution: Execution stalls by calling Sleepgraph_4-24758
Enumerates the file systemShow sources
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeFile opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\microsoft.system.package.metadata\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeFile opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeFile opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeFile opened: C:\Program Files\WindowsApps\Deleted\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeFile opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\AppTiles\Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeFile opened: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_4.22.3254.0_neutral_split.scale-150_8wekyb3d8bbwe\Jump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\conhost.exe TID: 4060Thread sleep count: 196 > 30
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_2_00FC9970 FindFirstFileW,GetLastError,GetLastError,GetLastError,GetLastError,4_2_00FC9970
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_2_01044A3B FindFirstFileExA,4_2_01044A3B
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_1_00FC9970 FindFirstFileW,GetLastError,GetLastError,GetLastError,GetLastError,4_1_00FC9970
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_00FC9970 FindFirstFileW,GetLastError,GetLastError,GetLastError,GetLastError,27_1_00FC9970
Contains functionality to query local drivesShow sources
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_2_00F7CE90 GetLogicalDriveStringsW,GetDriveTypeW,GetDriveTypeW,4_2_00F7CE90
Contains functionality to query system informationShow sources
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_2_00F9D0D0 GetSystemInfo,GetLastError,MapViewOfFileEx,GetLastError,CloseHandle,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,DuplicateHandle,GetLastError,__CxxThrowException@8,4_2_00F9D0D0
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: logoff.exe, 00000005.00000002.7430445932.00000243733E0000.00000002.sdmp, logoff.exe, 00000006.00000002.7433299425.0000018A5A330000.00000002.sdmp, logoff.exe, 00000008.00000002.7433267662.000002CD9E180000.00000002.sdmp, logoff.exe, 0000000A.00000002.7435453432.000001E1CB820000.00000002.sdmp, logoff.exe, 0000000C.00000002.7436443637.000001DAEB1E0000.00000002.sdmp, tgytutrc3413.exe, 00000016.00000002.7616427685.0000000002C20000.00000002.sdmp, tgytutrc3413.exe, 00000017.00000002.7702652869.0000000003620000.00000002.sdmp, tgytutrc3413.exe, 00000018.00000002.7667542140.0000000002980000.00000002.sdmp, tgytutrc3413.exe, 00000019.00000002.7699083799.0000000002BF0000.00000002.sdmp, tgytutrc3413.exe, 0000001A.00000002.7678340238.00000000037A0000.00000002.sdmp, tgytutrc3413.exe, 0000001B.00000002.7827179898.0000000003580000.00000002.sdmp, tgytutrc3413.exe, 0000001C.00000002.7754347402.0000000002A00000.00000002.sdmp, tgytutrc3413.exe, 0000001E.00000002.7854275874.0000000002900000.00000002.sdmp, tgytutrc3413.exe, 0000001F.00000002.7758068361.0000000003550000.00000002.sdmp, tgytutrc3413.exe, 00000020.00000002.7886023458.0000000003220000.00000002.sdmp, tgytutrc3413.exe, 00000024.00000002.7945185428.00000000033B0000.00000002.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: tgytutrc3413.exe, 0000001C.00000002.7689054218.00000000000B0000.00000004.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\
Source: tgytutrc3413.exe, 00000018.00000002.7614086472.0000000000100000.00000004.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllo
Source: tgytutrc3413.exe, 00000019.00000002.7619692550.00000000008D0000.00000004.sdmp, tgytutrc3413.exe, 00000028.00000002.8207730615.0000000000E30000.00000004.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp
Source: tgytutrc3413.exe, 0000001A.00000003.7586692417.00000000016DB000.00000004.sdmp, tgytutrc3413.exe, 00000026.00000003.7890555707.000000000007B000.00000004.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
Source: logoff.exe, 00000005.00000002.7430445932.00000243733E0000.00000002.sdmp, logoff.exe, 00000006.00000002.7433299425.0000018A5A330000.00000002.sdmp, logoff.exe, 00000008.00000002.7433267662.000002CD9E180000.00000002.sdmp, logoff.exe, 0000000A.00000002.7435453432.000001E1CB820000.00000002.sdmp, logoff.exe, 0000000C.00000002.7436443637.000001DAEB1E0000.00000002.sdmp, tgytutrc3413.exe, 00000016.00000002.7616427685.0000000002C20000.00000002.sdmp, tgytutrc3413.exe, 00000017.00000002.7702652869.0000000003620000.00000002.sdmp, tgytutrc3413.exe, 00000018.00000002.7667542140.0000000002980000.00000002.sdmp, tgytutrc3413.exe, 00000019.00000002.7699083799.0000000002BF0000.00000002.sdmp, tgytutrc3413.exe, 0000001A.00000002.7678340238.00000000037A0000.00000002.sdmp, tgytutrc3413.exe, 0000001B.00000002.7827179898.0000000003580000.00000002.sdmp, tgytutrc3413.exe, 0000001C.00000002.7754347402.0000000002A00000.00000002.sdmp, tgytutrc3413.exe, 0000001E.00000002.7854275874.0000000002900000.00000002.sdmp, tgytutrc3413.exe, 0000001F.00000002.7758068361.0000000003550000.00000002.sdmp, tgytutrc3413.exe, 00000020.00000002.7886023458.0000000003220000.00000002.sdmp, tgytutrc3413.exe, 00000024.00000002.7945185428.00000000033B0000.00000002.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: logoff.exe, 00000005.00000002.7430445932.00000243733E0000.00000002.sdmp, logoff.exe, 00000006.00000002.7433299425.0000018A5A330000.00000002.sdmp, logoff.exe, 00000008.00000002.7433267662.000002CD9E180000.00000002.sdmp, logoff.exe, 0000000A.00000002.7435453432.000001E1CB820000.00000002.sdmp, logoff.exe, 0000000C.00000002.7436443637.000001DAEB1E0000.00000002.sdmp, tgytutrc3413.exe, 00000016.00000002.7616427685.0000000002C20000.00000002.sdmp, tgytutrc3413.exe, 00000017.00000002.7702652869.0000000003620000.00000002.sdmp, tgytutrc3413.exe, 00000018.00000002.7667542140.0000000002980000.00000002.sdmp, tgytutrc3413.exe, 00000019.00000002.7699083799.0000000002BF0000.00000002.sdmp, tgytutrc3413.exe, 0000001A.00000002.7678340238.00000000037A0000.00000002.sdmp, tgytutrc3413.exe, 0000001B.00000002.7827179898.0000000003580000.00000002.sdmp, tgytutrc3413.exe, 0000001C.00000002.7754347402.0000000002A00000.00000002.sdmp, tgytutrc3413.exe, 0000001E.00000002.7854275874.0000000002900000.00000002.sdmp, tgytutrc3413.exe, 0000001F.00000002.7758068361.0000000003550000.00000002.sdmp, tgytutrc3413.exe, 00000020.00000002.7886023458.0000000003220000.00000002.sdmp, tgytutrc3413.exe, 00000024.00000002.7945185428.00000000033B0000.00000002.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Sample_5c9110cdfb71a9405f18bc2d.exe, 00000001.00000003.7419450049.0000000001775000.00000004.sdmp, tgytutrc3413.exe, 00000004.00000002.8652018604.0000000000020000.00000004.sdmp, tgytutrc3413.exe, 0000001E.00000003.7751695294.00000000006DB000.00000004.sdmp, tgytutrc3413.exe, 0000001F.00000002.7708876650.00000000013C0000.00000004.sdmp, tgytutrc3413.exe, 00000023.00000002.7896730697.00000000013F0000.00000004.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: logoff.exe, 00000005.00000002.7430445932.00000243733E0000.00000002.sdmp, logoff.exe, 00000006.00000002.7433299425.0000018A5A330000.00000002.sdmp, logoff.exe, 00000008.00000002.7433267662.000002CD9E180000.00000002.sdmp, logoff.exe, 0000000A.00000002.7435453432.000001E1CB820000.00000002.sdmp, logoff.exe, 0000000C.00000002.7436443637.000001DAEB1E0000.00000002.sdmp, tgytutrc3413.exe, 00000016.00000002.7616427685.0000000002C20000.00000002.sdmp, tgytutrc3413.exe, 00000017.00000002.7702652869.0000000003620000.00000002.sdmp, tgytutrc3413.exe, 00000018.00000002.7667542140.0000000002980000.00000002.sdmp, tgytutrc3413.exe, 00000019.00000002.7699083799.0000000002BF0000.00000002.sdmp, tgytutrc3413.exe, 0000001A.00000002.7678340238.00000000037A0000.00000002.sdmp, tgytutrc3413.exe, 0000001B.00000002.7827179898.0000000003580000.00000002.sdmp, tgytutrc3413.exe, 0000001C.00000002.7754347402.0000000002A00000.00000002.sdmp, tgytutrc3413.exe, 0000001E.00000002.7854275874.0000000002900000.00000002.sdmp, tgytutrc3413.exe, 0000001F.00000002.7758068361.0000000003550000.00000002.sdmp, tgytutrc3413.exe, 00000020.00000002.7886023458.0000000003220000.00000002.sdmp, tgytutrc3413.exe, 00000024.00000002.7945185428.00000000033B0000.00000002.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: tgytutrc3413.exe, 00000025.00000003.7901617303.000000000125C000.00000004.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllrr
Queries a list of all running processesShow sources
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_0102F271 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,27_1_0102F271
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)Show sources
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_00F7CF80 GetLogicalDriveStringsW,GetDriveTypeW,GetDriveTypeW,GetDriveTypeW,OpenMutexA,GetLastError,WaitForSingleObject,GetCurrentProcessId,__Mtx_unlock,ReleaseMutex,GetLastError,OutputDebugStringA,GetCurrentProcessId,ReleaseMutex,ReleaseMutex,WaitForSingleObject,ReleaseMutex,GetLastError,WaitForSingleObject,ReleaseMutex,GetLastError,ReleaseMutex,GetLastError,GetCurrentProcessId,__Mtx_unlock,CloseHandle,__CxxThrowException@8,__CxxThrowException@8,__CxxThrowException@8,27_1_00F7CF80
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_2_0101C820 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,4_2_0101C820
Contains functionality to read the PEBShow sources
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_010390D7 mov eax, dword ptr fs:[00000030h]27_1_010390D7
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_2_00FB47F0 ReleaseMutex,GetTickCount,EnumDependentServicesW,GetLastError,GetProcessHeap,HeapAlloc,EnumDependentServicesW,OpenServiceW,ControlService,Sleep,QueryServiceStatusEx,GetTickCount,@_EH4_CallFilterFunc@8,4_2_00FB47F0
Enables debug privilegesShow sources
Source: C:\Users\user\Desktop\Sample_5c9110cdfb71a9405f18bc2d.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess token adjusted: Debug
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_2_0100E33E SetUnhandledExceptionFilter,4_2_0100E33E
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_1_0100E33E SetUnhandledExceptionFilter,4_1_0100E33E
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_0102F271 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,27_1_0102F271
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 27_1_0100DEEA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,27_1_0100DEEA

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\Sample_5c9110cdfb71a9405f18bc2d.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c move /y 'C:\Users\user\Desktop\Sample_5c9110cdfb71a9405f18bc2d.exe' C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exeJump to behavior
Source: C:\Users\user\Desktop\Sample_5c9110cdfb71a9405f18bc2d.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -mJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Windows\System32\logoff.exe C:\Windows\system32\logoff.exe 0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Windows\System32\net.exe C:\Windows\system32\net.exe user Administrator HuHuHUHoHo283283@dJDJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Windows\System32\net.exe C:\Windows\system32\net.exe user 'user' HuHuHUHoHo283283@dJDJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Windows\System32\net.exe C:\Windows\system32\net.exe user Administrator HuHuHUHoHo283283@dJDJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Windows\System32\net.exe C:\Windows\system32\net.exe user 'user' HuHuHUHoHo283283@dJDJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exe C:\Users\CRAIGH~1\AppData\Local\Temp\tgytutrc3413.exe -i SM-tgytutrc -s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user Administrator HuHuHUHoHo283283@dJDJump to behavior
Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 user 'user' HuHuHUHoHo283283@dJDJump to behavior
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: 4_2_00FB5690 AllocateAndInitializeSid,LookupAccountSidW,GetLastError,LookupAccountSidW,FreeSid,4_2_00FB5690
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: tgytutrc3413.exe, 00000004.00000002.8694902794.0000000001600000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: tgytutrc3413.exe, 00000004.00000002.8694902794.0000000001600000.00000002.sdmpBinary or memory string: Progman
Source: tgytutrc3413.exe, 00000004.00000002.8694902794.0000000001600000.00000002.sdmpBinary or memory string: Shell_TrayWndd
Source: tgytutrc3413.exe, 00000004.00000002.8694902794.0000000001600000.00000002.sdmpBinary or memory string: Progmanlock
Source: tgytutrc3413.exe, 00000004.00000002.8694902794.0000000001600000.00000002.sdmpBinary or memory string: Program Manager>

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: ___crtGetLocaleInfoEx,4_2_0100CDE7
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: GetLocaleInfoW,4_2_0100CCEE
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: ___crtGetLocaleInfoEx,4_1_0100CDE7
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: GetLocaleInfoW,4_1_0100CCEE
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,27_1_0104719B
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,27_1_0104736F
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: GetLocaleInfoW,27_1_0103F384
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,27_1_01046A37
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: EnumSystemLocalesW,27_1_01046D95
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: EnumSystemLocalesW,27_1_01046CAF
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: EnumSystemLocalesW,27_1_01046CFA
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeCode function: EnumSystemLocalesW,27_1_0103EE9B
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2018.18041.15530.0_x64__8wekyb3d8bbwe\AppCS\Assets\StoryBuilder\CreatingMovieAnimation\LOOP_300px\LOOP_300px.50.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2018.18041.15530.0_x64__8wekyb3d8bbwe\Assets\EvokeOrnaments.ttf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2018.18041.15530.0_x64__8wekyb3d8bbwe\ipp_uwp.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2018.18041.15530.0_x64__8wekyb3d8bbwe\PhotosApp\Assets\ThirdPartyNotices\ThirdPartyNotices.html VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1711.10401.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\WideTile.scale-125.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.210.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\bug.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1711.10401.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\SmallTile.scale-125.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\40.rsrc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\36.rsrc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\Windows Photo Viewer\ImagingDevices.exe VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.210.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\coffee.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2018.18041.15530.0_x64__8wekyb3d8bbwe\Data\resources.assets VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.210.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\cat.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.210.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\cake.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\35.rsrc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\31.rsrc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.210.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\bow.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Getstarted_6.13.11581.0_x64__8wekyb3d8bbwe\RuntimeConfiguration.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\nb-no\AppStore_icon.svg VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2018.18041.15530.0_x64__8wekyb3d8bbwe\AppCS\Assets\StoryBuilder\CreatingMovieAnimation\LOOP_300px\LOOP_300px.49.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2018.18041.15530.0_x64__8wekyb3d8bbwe\AppCS\Assets\StoryBuilder\CreatingMovieAnimation\LOOP_300px\LOOP_300px.51.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2018.18041.15530.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-40_altform-unplated.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2018.18041.15530.0_x64__8wekyb3d8bbwe\PhotosApp.Windows.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.210.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\cash.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Getstarted_6.13.11581.0_x64__8wekyb3d8bbwe\SkuInterop.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\28.rsrc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\41.rsrc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\38.rsrc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\34.rsrc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Getstarted_6.13.11581.0_x64__8wekyb3d8bbwe\WhatsNew.Store.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2018.18041.15530.0_x64__8wekyb3d8bbwe\AppCS\Assets\StoryBuilder\CreatingMovieAnimation\LOOP_300px\LOOP_300px.5.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2018.18041.15530.0_x64__8wekyb3d8bbwe\RangeSelector.xbf VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Getstarted_6.13.11581.0_x64__8wekyb3d8bbwe\StoreRatingPromotion.winmd VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.210.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\call.png VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\Windows Photo Viewer\en-US\PhotoViewer.dll.mui VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\39.rsrc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\37.rsrc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\29.rsrc VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1711.10401.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\LargeTile.scale-125.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2018.18041.15530.0_x64__8wekyb3d8bbwe\AppCS\Assets\StoryBuilder\CreatingMovieAnimation\LOOP_300px\LOOP_300px.52.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2018.18041.15530.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_scale-200.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.210.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\clap.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2018.18041.15530.0_x64__8wekyb3d8bbwe\NoiseAsset_256x256_PNG.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Getstarted_6.13.11581.0_x64__8wekyb3d8bbwe\StoreRatingPromotion.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.210.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\brokenheart.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Getstarted_6.13.11581.0_x64__8wekyb3d8bbwe\RuntimeConfiguration.winmd VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\4.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\33.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.210.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\blush.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\27.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\25.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ko-kr\PlayStore_icon.svg VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\21.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\cs_get.svg VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\adc_logo.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_ColorSetCOLORREF.au3 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.210.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\angry.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.210.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\angel.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\32.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_1.15.1001.0_x64__8wekyb3d8bbwe\Assets\MixerBranding\mixer_logo.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\3.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\24.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\ui-strings.js VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.210.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\bike.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ko-kr\AppStore_icon.svg VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\de-de\ui-strings.js VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Getstarted_6.13.11581.0_x64__8wekyb3d8bbwe\resources.pri VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\18.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\StringMid.au3 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\30.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\ui-strings.js VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\23.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\22.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\20.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\2.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.210.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\bandit.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Examples\COM\wscriptshelltest.au3 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\15.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-phn.xrm-ms VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-oob.xrm-ms VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\26.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\ui-strings.js VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\ui-strings.js VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\nb-no\PlayStore_icon.svg VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.210.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\beer.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\css\main.css VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1711.10401.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\MedTile.scale-125.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\css\tool-view.css VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\17.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.Getstarted_6.13.11581.0_x64__8wekyb3d8bbwe\Resources\TopicPage\Images\playbutton.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GDIPlus_BitmapCreateFromFile[2].au3 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\it_get.svg VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.SkypeApp_12.1815.210.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\bartlett.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\19.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Examples\count-do.au3 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_Crypt_DecryptFile.au3 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\16.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\14.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_IEDocReadHTML.au3 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-pl.xrm-ms VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.0.xml VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime.xml VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlIpAddress_GetArray.au3 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Extras\Prettify\prettify.css VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ppd.xrm-ms VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\ProgramData\Adobe\ARM\S\18392\AdobeARM.msi VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\ProgramData\Microsoft\Windows\AppRepository\Windows.CBSPreview_10.0.17134.48_neutral_neutral_cw5n1h2txyewy.xml VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\ProgramData\USOPrivate\UpdateStore\updatestore4df22196-a1f2-426c-aa27-062a9f86aba6.xml VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.7_0\eventpage_bin_prod.js VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.4_0\craw_background.js VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\EIS25TGM\www.heise[1].xml VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\OneDrive\OneDrive.VisualElementsManifest.xml VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{305CB6FE-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1712.1141.0_x64__8wekyb3d8bbwe\_Resources\13.rsrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUIScrollBars_GetScrollBarXYLineButton.au3 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-oob.xrm-ms VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\DeploymentConfiguration.xml VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\ProgramData\Microsoft\Windows\AppRepository\windows.immersivecontrolpanel_10.0.2.1000_neutral_neutral_cw5n1h2txyewy.xml VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Caches\{09433F07-F965-4FC4-A950-6CC9E0EF15AA}.2.ver0x0000000000000002.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Caches\{9769B2F7-893A-4541-B3EC-53676975ABE9}.2.ver0x0000000000000002.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Users\user\AppData\Local\MicrosoftEdge\SharedCacheContainers\MicrosoftEdge_iecompat\IECompatData.xml VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Users\user\AppData\Local\Mozilla\updates\E7CF176E110C211B\updates.xml VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-phn.xrm-ms VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\fa\Microsoft.Mashup.Client.UI.resources.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\ProgramData\Microsoft\ClickToRun\DeploymentConfig.2.xml VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\ProgramData\Microsoft\Windows\AppxProvisioning.xml VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Caches\{902A20F7-8076-4A94-8321-875ECA5EC89E}.2.ver0x0000000000000001.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-314712940\msapplication.xml VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\7HJQTB48\3\0fb74f11[1].js VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Users\user\Desktop\NYMMPCEIMA\GLTYDMDUST.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Users\user\Documents\NYMMPCEIMA\GLTYDMDUST.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\7HJQTB48\4\677715dc[1].js VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\ProgramData\Microsoft\Provisioning\{ee4aac98-c174-4941-82b1-d121e493e4fb}\customizations.xml VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\ProgramData\Microsoft\Windows\AppRepository\Windows.PrintDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy.xml VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\e335baf1-18ab-73fe-e089-3fa0a6e71a35.xml VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.4_0\craw_window.js VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000000f.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\7HJQTB48\3\0c3a2f0b[1].js VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\7HJQTB48\4\8cafcc5f[1].js VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Users\user\Documents\ZIPXYXWIOY\ZIPXYXWIOY.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\6ffa25dc-c89d-3de9-3601-df09bae65a75.xml VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.7_1\eventpage_bin_prod.js VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-report-2018-11-22.xml VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Office\OTele\winword.exe.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.3.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\7HJQTB48\3\045d3532[1].js VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Users\user\Desktop\LIJDSFKJZG.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Users\user\Documents\QCOILOQIKC.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\7HJQTB48\3\108fcafd[1].js VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\tgytutrc3413.exeQueries volume information: C:\Users\user\Desktop\NWCXBPIUYI.xlsx VolumeInformation
Source: