Windows Analysis Report
SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe
Analysis ID:	1417067
MD5:	f3e70f68d7e2f644bcd312f1333094e1
SHA1:	259dd00ddb8a08fb149c37254bfb865a74bb11b9
SHA256:	6607d552accc951f2cd068bb394200987d7d1e90e34f8cdab3afe6e3ccedee4e
Tags:	exe
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Sigma detected: Stop EventLog

Yara detected AntiVM3

Yara detected UAC Bypass using CMSTP

Allocates memory in foreign processes

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Creates files in the system32 config directory

Hooks files or directories query functions (used to hide files and directories)

Hooks processes query functions (used to hide processes)

Hooks registry keys query functions (used to hide registry keys)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Installs new ROOT certificates

Machine Learning detection for sample

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops certificate files (DER)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (may stop execution after accessing registry keys)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Stores large binary data to the registry

Tries to load missing DLLs

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Virustotal: Detection: 16%			Perma Link
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	ReversingLabs: Detection: 13%

Machine Learning detection for sample

Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe

Code function: 17_2_00007FF69A504C1C CryptReleaseContext,

17_2_00007FF69A504C1C

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe PID: 4092, type: MEMORYSTR

Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\Fallkyriya.pdbpdbiya.pdb> source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\Fallkyriya\obj\Release\Fallkyriya.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000001C.00000002.3354678483.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150724621.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\Fallkyriya.pdbX source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERA249.tmp.dmp.12.dr
Source:	Binary string: Fallkyriya.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B98000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000001C.00000002.3353855453.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150571107.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WERA249.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B98000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct4B1.tmpp.pdb source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: indoC:\Windows\Fallkyriya.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb* source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.Core.ni.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: pC:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.PDB source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: SecuriteInfo.com.Win64.RATX-gen.30029.14447.PDB source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 0000001C.00000002.3354678483.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150724621.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: assembly\GAC_MSC:\Users\user\Desktop\Fallkyriya.pdb3f@ source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Fallkyriya.pdbpdbE source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.Drawing.pdbMicrosoft.VisualBasic.ni.dll source: WERA249.tmp.dmp.12.dr
Source:	Binary string: mscorlib.ni.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E186D2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E18669000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb; source: WERA249.tmp.dmp.12.dr
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdba@V source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERA249.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Users\user\Desktop\Fallkyriya.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\Fallkyriya\obj\Release\Fallkyriya.pdbll source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E18669000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\Fallkyriya.pdb< source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.PDB source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct42C5.tmp.pdb source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.Xml.ni.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wct4B1.tmpp.pdb source: svchost.exe, 0000001C.00000000.2150724621.0000024B87641000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.3354678483.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERA249.tmp.dmp.12.dr
Source:	Binary string: +@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000001C.00000002.3353855453.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150571107.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: WerFault.exe, 0000000C.00000003.2198769278.000002A66DC70000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000002.2200438015.000002A66DC70000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\Fallkyriya.pdbbg source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbF source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E18669000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: mscorlib.pdb0 source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B98000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8C:\Windows\Fallkyriya.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERA249.tmp.dmp.12.dr
Source:	Binary string: ~1.PDB @ source: svchost.exe, 0000001C.00000002.3354678483.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150724621.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.Xml.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B98000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: aspnet_wp.pdb source: aspnet_wp.exe, 00000003.00000003.2096098027.000001F51DBF0000.00000004.00000001.00020000.00000000.sdmp, oapavmkbdsqp.exe, 00000011.00000002.2098760613.00007FF69A507000.00000004.00000001.01000000.0000000B.sdmp, oapavmkbdsqp.exe, 00000011.00000000.2098305062.00007FF69A507000.00000002.00000001.01000000.0000000B.sdmp, oapavmkbdsqp.exe.3.dr
Source:	Binary string: n.pdb? source: WerFault.exe, 0000000C.00000003.2198769278.000002A66DC70000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000002.2200438015.000002A66DC70000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbp source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbON.dll source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E18669000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct42C5.tmp.pdb source: svchost.exe, 0000001C.00000000.2150724621.0000024B87641000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.3354678483.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\Fallkyriya.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Fallkyriya.pdbp< source: WERA249.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000001C.00000002.3354678483.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150724621.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.Core.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\Fallkyriya.pdbf source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorb source: svchost.exe, 0000001C.00000002.3353855453.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150571107.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: .pdbH source: WerFault.exe, 0000000C.00000003.2198769278.000002A66DC70000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000002.2200438015.000002A66DC70000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\Fallkyriya\obj\Release\Fallkyriya.pdb {a source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbY source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E186D2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000001C.00000002.3353855453.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150571107.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb@ source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.ni.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERA249.tmp.dmp.12.dr
Source:	Binary string: C:\Users.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp

Source: C:\Windows\System32\winlogon.exe	Code function: 10_2_000001E85898DCE0 FindFirstFileExW,	10_2_000001E85898DCE0
Source: C:\Windows\System32\lsass.exe	Code function: 18_2_00000140AE86DCE0 FindFirstFileExW,	18_2_00000140AE86DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000195DD5CDCE0 FindFirstFileExW,	19_2_00000195DD5CDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000001D27023DCE0 FindFirstFileExW,	20_2_000001D27023DCE0
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_000001160CBBDCE0 FindFirstFileExW,	21_2_000001160CBBDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001428DCFDCE0 FindFirstFileExW,	22_2_000001428DCFDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000257E10ADCE0 FindFirstFileExW,	23_2_00000257E10ADCE0
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001F28C93DCE0 FindFirstFileExW,	24_2_000001F28C93DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001CA9854DCE0 FindFirstFileExW,	25_2_000001CA9854DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001D26531DCE0 FindFirstFileExW,	26_2_000001D26531DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_00000254A27DDCE0 FindFirstFileExW,	27_2_00000254A27DDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_0000024B87DDDCE0 FindFirstFileExW,	28_2_0000024B87DDDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_00000205FD40DCE0 FindFirstFileExW,	29_2_00000205FD40DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_000001A2056ADCE0 FindFirstFileExW,	30_2_000001A2056ADCE0
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000018EC1F6DCE0 FindFirstFileExW,	31_2_0000018EC1F6DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_0000025CE3E0DCE0 FindFirstFileExW,	32_2_0000025CE3E0DCE0

Source: lsass.exe, 00000012.00000002.3371700118.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099752391.00000140AE074000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://3csp.icrosof4m/ocp0
Source: svchost.exe, 00000014.00000003.2159700453.000001D26FB78000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3376019995.000001D26FB37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2159582249.000001D26FB74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS
Source: svchost.exe, 00000014.00000003.2159582249.000001D26FB74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd
Source: Microsoft-Windows-LiveId%4Operational.evtx.29.dr	String found in binary or memory: http://Passport.NET/tb
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3368479430.000001D26F2E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb:pp
Source: svchost.exe, 00000014.00000002.3368479430.000001D26F2E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb_
Source: lsass.exe, 00000012.00000002.3375621134.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099913058.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099658073.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3367839051.00000140AE000000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: lsass.exe, 00000012.00000000.2099690859.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000003.2195174266.00000140AE172000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3369125884.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099809258.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3374306688.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 00000012.00000002.3361207736.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3371700118.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099752391.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099478451.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: lsass.exe, 00000012.00000000.2099913058.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3375621134.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099913058.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099658073.00000140AE000000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: svchost.exe, 00000014.00000002.3365424692.000001D26F2C8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.2137719803.000001428B134000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3406124581.000001428B161000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: lsass.exe, 00000012.00000002.3375621134.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099913058.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099658073.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3367839051.00000140AE000000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: lsass.exe, 00000012.00000000.2099690859.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000003.2195174266.00000140AE172000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3369125884.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099809258.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3374306688.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 00000012.00000002.3361207736.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3371700118.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099752391.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099478451.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: lsass.exe, 00000012.00000000.2099913058.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3375621134.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099913058.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099658073.00000140AE000000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 00000012.00000003.2195174266.00000140AE172000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099809258.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3374306688.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: lsass.exe, 00000012.00000000.2099690859.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000003.2195174266.00000140AE172000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3369125884.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099809258.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3374306688.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000012.00000002.3361207736.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3371700118.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099752391.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099478451.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: lsass.exe, 00000012.00000000.2099913058.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3375621134.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099913058.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099658073.00000140AE000000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: svchost.exe, 00000016.00000002.3402192589.000001428A8B0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: lsass.exe, 00000012.00000002.3361207736.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099478451.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: svchost.exe, 00000016.00000002.3402192589.000001428A8B0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3401575292.000001428A879000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.2120712175.000001428A82B000.00000004.00000001.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085061.22.dr, 77EC63BDA74BD0D0E0426DC8F80085062.22.dr, 77EC63BDA74BD0D0E0426DC8F80085060.22.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: svchost.exe, 00000016.00000002.3400812401.000001428A840000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab9749
Source: svchost.exe, 00000016.00000002.3400812401.000001428A840000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabab
Source: svchost.exe, 00000016.00000002.3400812401.000001428A840000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabe.comfc
Source: svchost.exe, 00000016.00000002.3401782467.000001428A88A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3405495654.000001428B113000.00000004.00000001.00020000.00000000.sdmp, 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.22.dr, 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.20.dr, 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.22.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: svchost.exe, 00000016.00000002.3401575292.000001428A879000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cabI7w
Source: svchost.exe, 00000016.00000002.3402192589.000001428A8B0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3401378467.000001428A85C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3401575292.000001428A879000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3406124581.000001428B161000.00000004.00000001.00020000.00000000.sdmp, FB0D848F74F70BB2EAA93746D24D97492.22.dr, FB0D848F74F70BB2EAA93746D24D97490.22.dr, FB0D848F74F70BB2EAA93746D24D97491.22.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab
Source: svchost.exe, 00000016.00000000.2120843468.000001428A879000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab$
Source: svchost.exe, 00000016.00000002.3401782467.000001428A88A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3401575292.000001428A879000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?40a06a98da234
Source: svchost.exe, 00000016.00000002.3405495654.000001428B113000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?40a06a98da
Source: lsass.exe, 00000012.00000000.2099357497.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3358536227.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 00000012.00000000.2099376620.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3359488205.00000140AD850000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: svchost.exe, 00000014.00000003.2166606231.000001D26FB6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2159582249.000001D26FB74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: svchost.exe, 00000014.00000002.3373876160.000001D26FB00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAA
Source: svchost.exe, 00000014.00000003.2166505496.000001D26FB74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2166606231.000001D26FB6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdes
Source: svchost.exe, 00000014.00000003.2179761558.000001D26FB6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2166505496.000001D26FB74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2179854209.000001D26FB76000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2166606231.000001D26FB6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsds
Source: svchost.exe, 00000014.00000003.2166606231.000001D26FB6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2159582249.000001D26FB74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: svchost.exe, 00000014.00000002.3373876160.000001D26FB00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdA
Source: svchost.exe, 00000014.00000003.2187849238.000001D26FB74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3376732091.000001D26FB5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds
Source: svchost.exe, 0000001D.00000000.2160841226.00000205FD384000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID
Source: svchost.exe, 00000016.00000000.2120943673.000001428A8B0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.2120712175.000001428A82B000.00000004.00000001.00020000.00000000.sdmp, E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A0.22.dr, E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB6151870.22.dr, 80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868.22.dr, E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB041.22.dr, E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB040.22.dr	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uN
Source: svchost.exe, 00000016.00000003.2890179341.000001428B139000.00000004.00000001.00020000.00000000.sdmp, EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118A.22.dr	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuN
Source: lsass.exe, 00000012.00000002.3361207736.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099690859.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3371700118.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3375621134.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099752391.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000003.2195174266.00000140AE172000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3369125884.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099809258.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3374306688.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099478451.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099913058.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099658073.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3367839051.00000140AE000000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 00000012.00000003.2195174266.00000140AE172000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099809258.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3374306688.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: lsass.exe, 00000012.00000000.2099913058.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3375621134.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099913058.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099658073.00000140AE000000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: lsass.exe, 00000012.00000000.2099658073.00000140AE000000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.
Source: lsass.exe, 00000012.00000000.2099752391.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000003.2195174266.00000140AE172000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099809258.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3374306688.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000014.00000002.3380399219.000001D270015000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://passport.net/tb
Source: svchost.exe, 0000001E.00000000.2163309909.000001A204EE0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: svchost.exe, 00000014.00000002.3376732091.000001D26FB5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: svchost.exe, 00000014.00000002.3376019995.000001D26FB37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: lsass.exe, 00000012.00000000.2099357497.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3358536227.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3373876160.000001D26FB00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3376732091.000001D26FB5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3376019995.000001D26FB37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: svchost.exe, 00000014.00000003.2179761558.000001D26FB6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3376732091.000001D26FB5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2166606231.000001D26FB6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy=80601
Source: svchost.exe, 00000014.00000002.3376732091.000001D26FB5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3376019995.000001D26FB37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: svchost.exe, 00000014.00000002.3376732091.000001D26FB5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scrf
Source: lsass.exe, 00000012.00000000.2099357497.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3358536227.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3376732091.000001D26FB5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: svchost.exe, 00000014.00000003.2179761558.000001D26FB6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2166606231.000001D26FB6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: svchost.exe, 00000014.00000003.2179761558.000001D26FB6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3376732091.000001D26FB5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2166606231.000001D26FB6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuee
Source: svchost.exe, 00000014.00000003.2179761558.000001D26FB6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuesue
Source: svchost.exe, 00000014.00000002.3376732091.000001D26FB5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issueure
Source: svchost.exe, 00000014.00000003.2179761558.000001D26FB6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3387513797.000001D2700ED000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3363431912.000001D26F29F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3376732091.000001D26FB5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2166606231.000001D26FB6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: svchost.exe, 00000014.00000003.2179761558.000001D26FB6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3376732091.000001D26FB5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2166606231.000001D26FB6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: svchost.exe, 00000014.00000002.3376019995.000001D26FB37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustn
Source: lsass.exe, 00000012.00000000.2099376620.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3359488205.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099357497.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3358536227.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: lsass.exe, 00000012.00000002.3358536227.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 00000012.00000000.2099357497.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3358536227.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
Source: lsass.exe, 00000012.00000002.3358536227.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: Amcache.hve.12.dr	String found in binary or memory: http://upx.sf.net
Source: lsass.exe, 00000012.00000000.2099913058.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3375621134.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099913058.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099658073.00000140AE000000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: svchost.exe, 00000026.00000002.3402968021.000001E709ED9000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000000.2186905204.000001E709ED9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.msftconnecttest.com
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502.live.com/
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2108084375.000001D26FB56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601?id=80600
Source: svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 00000014.00000003.2108084375.000001D26FB56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600-
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601Connect
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603up.aspx?iw
Source: svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604Login.srf?
Source: svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605OOBESignUp
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107572404.000001D26FB57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/msangcwam
Source: svchost.exe, 0000001D.00000000.2160841226.00000205FD384000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3408540658.00000205FD384000.00000004.00000001.00020000.00000000.sdmp, Microsoft-Windows-Bits-Client%4Operational.evtx.29.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod
Source: svchost.exe, 0000001D.00000000.2160841226.00000205FD384000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3408540658.00000205FD384000.00000004.00000001.00020000.00000000.sdmp, Microsoft-Windows-Bits-Client%4Operational.evtx.29.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdC:
Source: svchost.exe, 0000001D.00000000.2160841226.00000205FD384000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3408540658.00000205FD384000.00000004.00000001.00020000.00000000.sdmp, Microsoft-Windows-Bits-Client%4Operational.evtx.29.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2C:
Source: svchost.exe, 0000001D.00000000.2160841226.00000205FD384000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3408540658.00000205FD384000.00000004.00000001.00020000.00000000.sdmp, Microsoft-Windows-Bits-Client%4Operational.evtx.29.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2f%
Source: svchost.exe, 00000014.00000002.3382740126.000001D27005B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srf
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srfr.srf
Source: svchost.exe, 00000014.00000003.2108084375.000001D26FB56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 00000014.00000003.2108084375.000001D26FB56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107681738.000001D26FB6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107681738.000001D26FB6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 00000014.00000003.2106905094.000001D26FB2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107681738.000001D26FB6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ListSessions.srf
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srf
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageLoginKeys.srf
Source: svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2129547954.000001D27003C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srf
Source: svchost.exe, 00000014.00000002.3368479430.000001D26F2E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srfd
Source: svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/didtou.srf
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getrealminfo.srf
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getuserrealm.srf
Source: svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srfIssuerP
Source: svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
Source: svchost.exe, 00000014.00000003.2107729408.000001D26FB27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srff
Source: svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107729408.000001D26FB27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 00000014.00000003.2107729408.000001D26FB27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srfX
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrf
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107681738.000001D26FB6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
Source: svchost.exe, 00000014.00000003.2106905094.000001D26FB2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107681738.000001D26FB6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
Source: svchost.exe, 00000014.00000002.3385230486.000001D2700A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf?stsft=-Dn
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2108084375.000001D26FB56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600ve.com/si
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601xists.srf
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603ecure/Inl
Source: svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604//account
Source: svchost.exe, 00000014.00000002.3382740126.000001D27005B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107681738.000001D26FB6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
Source: svchost.exe, 00000014.00000003.2106905094.000001D26FB2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502&id=806
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600avor=4&
Source: svchost.exe, 00000014.00000003.2108084375.000001D26FB56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601/Password/C
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806014
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603IDs
Source: svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806043
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604in.live.com
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604nkId=253457
Source: svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605nAuthUp
Source: svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606d=80601
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107572404.000001D26FB57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
Source: svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 00000014.00000003.2106905094.000001D26FB2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107231250.000001D26FB5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cpBk0
Source: svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605600
Source: svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
Source: svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
Source: svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srfDW
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/resetpw.srf
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/resetpw.srf.srf
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/retention.srf
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/retention.srfce
Source: svchost.exe, 00000014.00000002.3382740126.000001D27005B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3387513797.000001D2700ED000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3363431912.000001D26F29F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3362248015.000001D26F285000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com:443/RST2.srf
Source: svchost.exe, 00000014.00000002.3376019995.000001D26FB37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com:443/RST2.srf56
Source: svchost.exe, 00000014.00000002.3380399219.000001D270015000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.comepp
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf(
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srfData.srf
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 00000014.00000003.2107729408.000001D26FB27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srfMM
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://signup.live.com/signup.aspx

Drops certificate files (DER)

Source: C:\Windows\System32\svchost.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	Jump to dropped file
Source: C:\Windows\System32\svchost.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	Jump to dropped file
Source: C:\Windows\System32\svchost.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	Jump to dropped file

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	Code function: 3_2_0000000140001394 NtEnumerateBootEntries,	3_2_0000000140001394
Source: C:\Windows\System32\dialer.exe	Code function: 5_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,FindCloseChangeNotification,CloseHandle,	5_2_00000001400010C0
Source: C:\Windows\System32\winlogon.exe	Code function: 10_2_000001E8589828C8 NtEnumerateValueKey,NtEnumerateValueKey,	10_2_000001E8589828C8
Source: C:\Windows\System32\lsass.exe	Code function: 18_2_00000140AE86202C NtQuerySystemInformation,StrCmpNIW,	18_2_00000140AE86202C
Source: C:\Windows\System32\lsass.exe	Code function: 18_2_00000140AE86253C NtQueryDirectoryFileEx,GetFileType,StrCpyW,	18_2_00000140AE86253C
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_000001160CBB28C8 NtEnumerateValueKey,NtEnumerateValueKey,	21_2_000001160CBB28C8
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001428DCF253C NtQueryDirectoryFileEx,GetFileType,StrCpyW,	22_2_000001428DCF253C
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001428DCF202C NtQuerySystemInformation,StrCmpNIW,	22_2_000001428DCF202C

Creates files inside the system directory

Source: C:\Windows\System32\lsass.exe	File created: C:\Windows\system32\Microsoft\Protect\S-1-5-18\User\ebb8ddf7-299c-407a-b421-a800626bb459	Jump to behavior
Source: C:\Windows\System32\lsass.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	Jump to behavior
Source: C:\Windows\System32\lsass.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\lsass.exe

File deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Code function: 0_2_00007FF848F14EC0	0_2_00007FF848F14EC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Code function: 0_2_00007FF848F21175	0_2_00007FF848F21175
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Code function: 0_2_00007FF848F1B060	0_2_00007FF848F1B060
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Code function: 0_2_00007FF848F1E369	0_2_00007FF848F1E369
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Code function: 0_2_00007FF848F16F71	0_2_00007FF848F16F71
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Code function: 0_2_00007FF848F1DBBA	0_2_00007FF848F1DBBA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Code function: 0_2_00007FF848F1E7F1	0_2_00007FF848F1E7F1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Code function: 0_2_00007FF848F163F3	0_2_00007FF848F163F3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Code function: 0_2_00007FF848F111FA	0_2_00007FF848F111FA
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	Code function: 3_2_0000000140003B30	3_2_0000000140003B30
Source: C:\Windows\System32\dialer.exe	Code function: 5_2_000000014000226C	5_2_000000014000226C
Source: C:\Windows\System32\dialer.exe	Code function: 5_2_00000001400014D8	5_2_00000001400014D8
Source: C:\Windows\System32\dialer.exe	Code function: 5_2_0000000140002560	5_2_0000000140002560
Source: C:\Windows\System32\winlogon.exe	Code function: 10_2_000001E858951F2C	10_2_000001E858951F2C
Source: C:\Windows\System32\winlogon.exe	Code function: 10_2_000001E8589638A8	10_2_000001E8589638A8
Source: C:\Windows\System32\winlogon.exe	Code function: 10_2_000001E85895D0E0	10_2_000001E85895D0E0
Source: C:\Windows\System32\winlogon.exe	Code function: 10_2_000001E858982B2C	10_2_000001E858982B2C
Source: C:\Windows\System32\winlogon.exe	Code function: 10_2_000001E8589944A8	10_2_000001E8589944A8
Source: C:\Windows\System32\winlogon.exe	Code function: 10_2_000001E85898DCE0	10_2_000001E85898DCE0
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe	Code function: 17_2_00007FF69A50307C	17_2_00007FF69A50307C
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe	Code function: 17_2_00007FF69A501E74	17_2_00007FF69A501E74
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe	Code function: 17_2_00007FF69A505ED0	17_2_00007FF69A505ED0
Source: C:\Windows\System32\lsass.exe	Code function: 18_2_00000140ADFC1F2C	18_2_00000140ADFC1F2C
Source: C:\Windows\System32\lsass.exe	Code function: 18_2_00000140ADFCD0E0	18_2_00000140ADFCD0E0
Source: C:\Windows\System32\lsass.exe	Code function: 18_2_00000140ADFD38A8	18_2_00000140ADFD38A8
Source: C:\Windows\System32\lsass.exe	Code function: 18_2_00000140AE86DCE0	18_2_00000140AE86DCE0
Source: C:\Windows\System32\lsass.exe	Code function: 18_2_00000140AE8744A8	18_2_00000140AE8744A8
Source: C:\Windows\System32\lsass.exe	Code function: 18_2_00000140AE862B2C	18_2_00000140AE862B2C
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000195DD59D0E0	19_2_00000195DD59D0E0
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000195DD5A38A8	19_2_00000195DD5A38A8
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000195DD591F2C	19_2_00000195DD591F2C
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000195DD5CDCE0	19_2_00000195DD5CDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000195DD5D44A8	19_2_00000195DD5D44A8
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000195DD5C2B2C	19_2_00000195DD5C2B2C
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000001D2702444A8	20_2_000001D2702444A8
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000001D27023DCE0	20_2_000001D27023DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000001D270232B2C	20_2_000001D270232B2C
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_000001160CB81F2C	21_2_000001160CB81F2C
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_000001160CB8D0E0	21_2_000001160CB8D0E0
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_000001160CB938A8	21_2_000001160CB938A8
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_000001160CBB2B2C	21_2_000001160CBB2B2C
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_000001160CBBDCE0	21_2_000001160CBBDCE0
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_000001160CBC44A8	21_2_000001160CBC44A8
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001428DCCD0E0	22_2_000001428DCCD0E0
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001428DCD38A8	22_2_000001428DCD38A8
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001428DCC1F2C	22_2_000001428DCC1F2C
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001428DCFDCE0	22_2_000001428DCFDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001428DD044A8	22_2_000001428DD044A8
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001428DCF2B2C	22_2_000001428DCF2B2C
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000257E10838A8	23_2_00000257E10838A8
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000257E107D0E0	23_2_00000257E107D0E0
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000257E1071F2C	23_2_00000257E1071F2C
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000257E10B44A8	23_2_00000257E10B44A8
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000257E10ADCE0	23_2_00000257E10ADCE0
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000257E10A2B2C	23_2_00000257E10A2B2C
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001F28C1E38A8	24_2_000001F28C1E38A8
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001F28C1DD0E0	24_2_000001F28C1DD0E0
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001F28C1D1F2C	24_2_000001F28C1D1F2C
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001F28C9444A8	24_2_000001F28C9444A8
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001F28C93DCE0	24_2_000001F28C93DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001F28C932B2C	24_2_000001F28C932B2C
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001CA97FD1F2C	25_2_000001CA97FD1F2C
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001CA97FDD0E0	25_2_000001CA97FDD0E0
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001CA97FE38A8	25_2_000001CA97FE38A8
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001CA98542B2C	25_2_000001CA98542B2C
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001CA9854DCE0	25_2_000001CA9854DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001CA985544A8	25_2_000001CA985544A8
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001D2652F38A8	26_2_000001D2652F38A8
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001D2652ED0E0	26_2_000001D2652ED0E0
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001D2652E1F2C	26_2_000001D2652E1F2C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001D2653244A8	26_2_000001D2653244A8
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001D26531DCE0	26_2_000001D26531DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001D26532AEC2	26_2_000001D26532AEC2
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001D265312B2C	26_2_000001D265312B2C
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_00000254A27D2B2C	27_2_00000254A27D2B2C
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_00000254A27E44A8	27_2_00000254A27E44A8
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_00000254A27DDCE0	27_2_00000254A27DDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_0000024B87DDDCE0	28_2_0000024B87DDDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_0000024B87DE44A8	28_2_0000024B87DE44A8
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_0000024B87DD2B2C	28_2_0000024B87DD2B2C
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_00000205FB3CD0E0	29_2_00000205FB3CD0E0
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_00000205FB3D38A8	29_2_00000205FB3D38A8
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_00000205FB3C1F2C	29_2_00000205FB3C1F2C
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_00000205FD402B2C	29_2_00000205FD402B2C
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_00000205FD4144A8	29_2_00000205FD4144A8
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_00000205FD40DCE0	29_2_00000205FD40DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_000001A2056A2B2C	30_2_000001A2056A2B2C
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_000001A2056ADCE0	30_2_000001A2056ADCE0
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_000001A2056B44A8	30_2_000001A2056B44A8
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000018EC1F3D0E0	31_2_0000018EC1F3D0E0
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000018EC1F438A8	31_2_0000018EC1F438A8
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000018EC1F31F2C	31_2_0000018EC1F31F2C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000018EC1F6DCE0	31_2_0000018EC1F6DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000018EC1F744A8	31_2_0000018EC1F744A8
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000018EC1F62B2C	31_2_0000018EC1F62B2C
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_0000025CE3BCD0E0	32_2_0000025CE3BCD0E0
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_0000025CE3BD38A8	32_2_0000025CE3BD38A8
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_0000025CE3BC1F2C	32_2_0000025CE3BC1F2C
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_0000025CE3E0DCE0	32_2_0000025CE3E0DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_0000025CE3E144A8	32_2_0000025CE3E144A8
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_0000025CE3E02B2C	32_2_0000025CE3E02B2C

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe

Code function: String function: 0000000140001394 appears 32 times

One or more processes crash

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4092 -s 1192

PE file does not import any functions

Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000000.2076809499.0000021E1852A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUkedopegude> vs SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Binary or memory string: OriginalFilenameUkedopegude> vs SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe	Section loaded: webengine4.dll	Jump to behavior
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Section loaded: ngcpopkeysrv.dll	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Section loaded: pcpksp.dll	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Section loaded: tbs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wlidsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gamestreamingext.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msauserext.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: tbs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptngc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptprov.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: elscore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: elstrans.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior

Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.29.dr	Binary string: >\Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sys
Source: Microsoft-Windows-SMBServer%4Operational.evtx.29.dr	Binary string: \Device\NetbiosSmb
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.29.dr	Binary string: 9\Device\HarddiskVolume3\Windows\System32\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.29.dr	Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exec
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.29.dr	Binary string: J\Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.sys
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.29.dr	Binary string: L\Device\HarddiskVolume3\Users\user\AppData\Local\Temp\JSAMSIProvider64.dll6\Device\HarddiskVolume3\Windows\System32\SIHClient.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.29.dr	Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeW
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.29.dr	Binary string: 1\Device\HarddiskVolume3\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.29.dr	Binary string: 9\Device\HarddiskVolume3\Windows\System32\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeX**
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.29.dr	Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exez
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.29.dr	Binary string: 4\Device\HarddiskVolume3\Windows\System32\spoolsv.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.29.dr	Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeV
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.29.dr	Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeU
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.29.dr	Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exep
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.29.dr	Binary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
Source: Microsoft-Windows-SmbClient%4Connectivity.evtx.29.dr	Binary string: :\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-SMBServer%4Operational.evtx.29.dr	Binary string: WIN-77KHDDR6TT1 WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.29.dr	Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.29.dr	Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeN
Source: Microsoft-Windows-SMBServer%4Operational.evtx.29.dr	Binary string: DESKTOP-AGET0TR WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-SMBServer%4Operational.evtx.29.dr	Binary string: user-PC WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}

Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E18669000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbF
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B98000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb

Source: classification engine

Classification label: mal100.expl.evad.winEXE@20/92@0/1

Source: C:\Windows\System32\dialer.exe

Code function: 5_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,FindResourceA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx,

5_2_000000014000226C

Source: C:\Windows\System32\dialer.exe

Code function: 5_2_00000001400019C4 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,

5_2_00000001400019C4

Source: C:\Windows\System32\dialer.exe

5_2_000000014000226C

Source: C:\Windows\System32\lsass.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-2246122658-3693405117-2476756634-1003\341f1c0f-774c-49e5-927c-8487e84c25df

Jump to behavior

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4092
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7388:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7304:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7236:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7380:120:WilError_03

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\423d201e-8e2e-4b77-b47d-3a4cfabc93e7

Jump to behavior

Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Virustotal: Detection: 16%
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	ReversingLabs: Detection: 13%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "GVKQGWZS"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "GVKQGWZS" binpath= "C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe" start= "auto"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4092 -s 1192
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "GVKQGWZS"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe
Source: C:\Windows\System32\lsass.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "GVKQGWZS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "GVKQGWZS" binpath= "C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe" start= "auto"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "GVKQGWZS"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

Static file information: File size 3249284 > 1048576

Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Windows\Fallkyriya.pdbpdbiya.pdb> source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\Fallkyriya\obj\Release\Fallkyriya.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000001C.00000002.3354678483.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150724621.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\Fallkyriya.pdbX source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERA249.tmp.dmp.12.dr
Source:	Binary string: Fallkyriya.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B98000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000001C.00000002.3353855453.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150571107.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WERA249.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B98000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct4B1.tmpp.pdb source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: indoC:\Windows\Fallkyriya.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb* source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.Core.ni.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: pC:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.PDB source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: SecuriteInfo.com.Win64.RATX-gen.30029.14447.PDB source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 0000001C.00000002.3354678483.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150724621.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: assembly\GAC_MSC:\Users\user\Desktop\Fallkyriya.pdb3f@ source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Fallkyriya.pdbpdbE source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.Drawing.pdbMicrosoft.VisualBasic.ni.dll source: WERA249.tmp.dmp.12.dr
Source:	Binary string: mscorlib.ni.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E186D2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E18669000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb; source: WERA249.tmp.dmp.12.dr
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdba@V source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERA249.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Users\user\Desktop\Fallkyriya.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\Fallkyriya\obj\Release\Fallkyriya.pdbll source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E18669000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\Fallkyriya.pdb< source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.PDB source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct42C5.tmp.pdb source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.Xml.ni.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wct4B1.tmpp.pdb source: svchost.exe, 0000001C.00000000.2150724621.0000024B87641000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.3354678483.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERA249.tmp.dmp.12.dr
Source:	Binary string: +@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000001C.00000002.3353855453.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150571107.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: WerFault.exe, 0000000C.00000003.2198769278.000002A66DC70000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000002.2200438015.000002A66DC70000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\Fallkyriya.pdbbg source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbF source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E18669000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: mscorlib.pdb0 source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B98000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8C:\Windows\Fallkyriya.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERA249.tmp.dmp.12.dr
Source:	Binary string: ~1.PDB @ source: svchost.exe, 0000001C.00000002.3354678483.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150724621.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.Xml.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B98000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: aspnet_wp.pdb source: aspnet_wp.exe, 00000003.00000003.2096098027.000001F51DBF0000.00000004.00000001.00020000.00000000.sdmp, oapavmkbdsqp.exe, 00000011.00000002.2098760613.00007FF69A507000.00000004.00000001.01000000.0000000B.sdmp, oapavmkbdsqp.exe, 00000011.00000000.2098305062.00007FF69A507000.00000002.00000001.01000000.0000000B.sdmp, oapavmkbdsqp.exe.3.dr
Source:	Binary string: n.pdb? source: WerFault.exe, 0000000C.00000003.2198769278.000002A66DC70000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000002.2200438015.000002A66DC70000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbp source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbON.dll source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E18669000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct42C5.tmp.pdb source: svchost.exe, 0000001C.00000000.2150724621.0000024B87641000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.3354678483.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\Fallkyriya.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Fallkyriya.pdbp< source: WERA249.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000001C.00000002.3354678483.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150724621.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.Core.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\Fallkyriya.pdbf source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorb source: svchost.exe, 0000001C.00000002.3353855453.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150571107.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: .pdbH source: WerFault.exe, 0000000C.00000003.2198769278.000002A66DC70000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000002.2200438015.000002A66DC70000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\Fallkyriya\obj\Release\Fallkyriya.pdb {a source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbY source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E186D2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000001C.00000002.3353855453.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150571107.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb@ source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.ni.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERA249.tmp.dmp.12.dr
Source:	Binary string: C:\Users.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp

Binary contains a suspicious time stamp

Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

Static PE information: 0xFC4D4CA1 [Wed Feb 20 04:18:41 2104 UTC]

Contains functionality to dynamically determine API calls

Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe

Code function: 17_2_00007FF69A504AC0 memset,GetVersionExW,memset,GetSystemDirectoryW,lstrlenW,lstrlenW,LoadLibraryW,GetProcAddress,FreeLibrary,

17_2_00007FF69A504AC0

PE file contains sections with non-standard names

Source: oapavmkbdsqp.exe.3.dr

Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Code function: 0_2_00007FF848F160E2 push ebx; ret	0_2_00007FF848F161DA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Code function: 0_2_00007FF848F1B0FA push eax; ret	0_2_00007FF848F1B111
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Code function: 0_2_00007FF848F18C52 push ebp; iretd	0_2_00007FF848F18C53
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Code function: 0_2_00007FF848F100BD pushad ; iretd	0_2_00007FF848F100C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Code function: 0_2_00007FF848F1A4DD push ebx; iretd	0_2_00007FF848F1A4EA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Code function: 0_2_00007FF848F16B40 push eax; iretd	0_2_00007FF848F16B41
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Code function: 0_2_00007FF84901026B push esp; retf 4810h	0_2_00007FF849010312
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	Code function: 3_2_0000000140001394 push qword ptr [000000014000A004h]; ret	3_2_0000000140001403
Source: C:\Windows\System32\winlogon.exe	Code function: 10_2_000001E85896ACDD push rcx; retf 003Fh	10_2_000001E85896ACDE
Source: C:\Windows\System32\winlogon.exe	Code function: 10_2_000001E85899C6DD push rcx; retf 003Fh	10_2_000001E85899C6DE
Source: C:\Windows\System32\lsass.exe	Code function: 18_2_00000140ADFDACDD push rcx; retf 003Fh	18_2_00000140ADFDACDE
Source: C:\Windows\System32\lsass.exe	Code function: 18_2_00000140AE87C6DD push rcx; retf 003Fh	18_2_00000140AE87C6DE
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000195DD5AACDD push rcx; retf 003Fh	19_2_00000195DD5AACDE
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000195DD5DC6DD push rcx; retf 003Fh	19_2_00000195DD5DC6DE
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000001D27024C6DD push rcx; retf 003Fh	20_2_000001D27024C6DE
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_000001160CB9ACDD push rcx; retf 003Fh	21_2_000001160CB9ACDE
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_000001160CBCC6DD push rcx; retf 003Fh	21_2_000001160CBCC6DE
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001428DCDACDD push rcx; retf 003Fh	22_2_000001428DCDACDE
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001428DD0C6DD push rcx; retf 003Fh	22_2_000001428DD0C6DE
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001428DD077DB push rsp; iretd	22_2_000001428DD077E1
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000257E108ACDD push rcx; retf 003Fh	23_2_00000257E108ACDE
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000257E10BC6DD push rcx; retf 003Fh	23_2_00000257E10BC6DE
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001F28C1EACDD push rcx; retf 003Fh	24_2_000001F28C1EACDE
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001F28C94C6DD push rcx; retf 003Fh	24_2_000001F28C94C6DE
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001CA97FEACDD push rcx; retf 003Fh	25_2_000001CA97FEACDE
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001CA9855C6DD push rcx; retf 003Fh	25_2_000001CA9855C6DE
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001D2652FACDD push rcx; retf 003Fh	26_2_000001D2652FACDE
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001D26532C6DD push rcx; retf 003Fh	26_2_000001D26532C6DE
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_00000254A27EC6DD push rcx; retf 003Fh	27_2_00000254A27EC6DE
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_0000024B87DEC6DD push rcx; retf 003Fh	28_2_0000024B87DEC6DE
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_00000205FB3DACDD push rcx; retf 003Fh	29_2_00000205FB3DACDE

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Windows\System32\lsass.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D			Jump to behavior
Source: C:\Windows\System32\lsass.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D			Jump to behavior

Installs new ROOT certificates

Source: C:\Windows\System32\lsass.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Windows\System32\lsass.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe

File created: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe

Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe

File created: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe

Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "GVKQGWZS"

Hooking and other Techniques for Hiding and Protection

Hooks files or directories query functions (used to hide files and directories)

Source: winlogon.exe

IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile

Hooks processes query functions (used to hide processes)

Source: winlogon.exe

IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation

Hooks registry keys query functions (used to hide registry keys)

Source: winlogon.exe

IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey

Modifies the prolog of user mode functions (user mode inline hooks)

Source: winlogon.exe

User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF

Stores large binary data to the registry

Source: C:\Windows\System32\lsass.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe PID: 4092, type: MEMORYSTR

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\dialer.exe

Code function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,FindCloseChangeNotification,CloseHandle,

5_2_00000001400010C0

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Memory allocated: 21E18850000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Memory allocated: 21E32160000 memory reserve \| memory write watch			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\dialer.exe	Window / User API: threadDelayed 1755	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Window / User API: threadDelayed 565	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 5163	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 4836	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Window / User API: threadDelayed 9979	Jump to behavior
Source: C:\Windows\System32\dwm.exe	Window / User API: threadDelayed 9860	Jump to behavior

Found evasive API chain (may stop execution after accessing registry keys)

Source: C:\Windows\System32\svchost.exe

Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

Found evasive API chain checking for process token information

Source: C:\Windows\System32\dialer.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	API coverage: 2.8 %
Source: C:\Windows\System32\lsass.exe	API coverage: 8.2 %
Source: C:\Windows\System32\svchost.exe	API coverage: 5.1 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.5 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.8 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.8 %
Source: C:\Windows\System32\svchost.exe	API coverage: 5.1 %
Source: C:\Windows\System32\svchost.exe	API coverage: 5.1 %
Source: C:\Windows\System32\svchost.exe	API coverage: 7.1 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.3 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.8 %
Source: C:\Windows\System32\svchost.exe	API coverage: 7.2 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.1 %
Source: C:\Windows\System32\svchost.exe	API coverage: 7.2 %
Source: C:\Windows\System32\svchost.exe	API coverage: 5.1 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\dialer.exe TID: 7188	Thread sleep count: 1755 > 30	Jump to behavior
Source: C:\Windows\System32\dialer.exe TID: 7188	Thread sleep time: -175500s >= -30000s	Jump to behavior
Source: C:\Windows\System32\dialer.exe TID: 7288	Thread sleep count: 565 > 30	Jump to behavior
Source: C:\Windows\System32\dialer.exe TID: 7288	Thread sleep time: -56500s >= -30000s	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 7480	Thread sleep count: 5163 > 30	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 7480	Thread sleep time: -5163000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 7480	Thread sleep count: 4836 > 30	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 7480	Thread sleep time: -4836000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 7488	Thread sleep count: 9979 > 30	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 7488	Thread sleep time: -9979000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7540	Thread sleep count: 243 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7540	Thread sleep time: -243000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7412	Thread sleep count: 250 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7412	Thread sleep time: -250000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 7708	Thread sleep count: 9860 > 30	Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 7708	Thread sleep time: -9860000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7580	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8012	Thread sleep count: 249 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8012	Thread sleep time: -249000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7724	Thread sleep count: 253 > 30
Source: C:\Windows\System32\svchost.exe TID: 7724	Thread sleep time: -253000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7740	Thread sleep count: 254 > 30
Source: C:\Windows\System32\svchost.exe TID: 7740	Thread sleep time: -254000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7748	Thread sleep count: 253 > 30
Source: C:\Windows\System32\svchost.exe TID: 7748	Thread sleep time: -253000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7760	Thread sleep count: 253 > 30
Source: C:\Windows\System32\svchost.exe TID: 7760	Thread sleep time: -253000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7788	Thread sleep count: 196 > 30
Source: C:\Windows\System32\svchost.exe TID: 7788	Thread sleep time: -196000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7796	Thread sleep count: 252 > 30
Source: C:\Windows\System32\svchost.exe TID: 7796	Thread sleep time: -252000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7804	Thread sleep count: 228 > 30
Source: C:\Windows\System32\svchost.exe TID: 7804	Thread sleep time: -228000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7812	Thread sleep count: 243 > 30
Source: C:\Windows\System32\svchost.exe TID: 7812	Thread sleep time: -243000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7820	Thread sleep count: 244 > 30
Source: C:\Windows\System32\svchost.exe TID: 7820	Thread sleep time: -244000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7828	Thread sleep count: 253 > 30
Source: C:\Windows\System32\svchost.exe TID: 7828	Thread sleep time: -253000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7840	Thread sleep count: 241 > 30
Source: C:\Windows\System32\svchost.exe TID: 7840	Thread sleep time: -241000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7848	Thread sleep count: 251 > 30
Source: C:\Windows\System32\svchost.exe TID: 7848	Thread sleep time: -251000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7856	Thread sleep count: 250 > 30
Source: C:\Windows\System32\svchost.exe TID: 7856	Thread sleep time: -250000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7864	Thread sleep count: 254 > 30
Source: C:\Windows\System32\svchost.exe TID: 7864	Thread sleep time: -254000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7872	Thread sleep count: 254 > 30
Source: C:\Windows\System32\svchost.exe TID: 7872	Thread sleep time: -254000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7880	Thread sleep count: 244 > 30
Source: C:\Windows\System32\svchost.exe TID: 7880	Thread sleep time: -244000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7888	Thread sleep count: 249 > 30
Source: C:\Windows\System32\svchost.exe TID: 7888	Thread sleep time: -249000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7908	Thread sleep count: 247 > 30
Source: C:\Windows\System32\svchost.exe TID: 7908	Thread sleep time: -247000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7920	Thread sleep count: 249 > 30
Source: C:\Windows\System32\svchost.exe TID: 7920	Thread sleep time: -249000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7928	Thread sleep count: 244 > 30
Source: C:\Windows\System32\svchost.exe TID: 7928	Thread sleep time: -244000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7940	Thread sleep count: 250 > 30
Source: C:\Windows\System32\svchost.exe TID: 7940	Thread sleep time: -250000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\dialer.exe	Last function: Thread delayed
Source: C:\Windows\System32\dialer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed

Source: C:\Windows\System32\winlogon.exe	Code function: 10_2_000001E85898DCE0 FindFirstFileExW,	10_2_000001E85898DCE0
Source: C:\Windows\System32\lsass.exe	Code function: 18_2_00000140AE86DCE0 FindFirstFileExW,	18_2_00000140AE86DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000195DD5CDCE0 FindFirstFileExW,	19_2_00000195DD5CDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000001D27023DCE0 FindFirstFileExW,	20_2_000001D27023DCE0
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_000001160CBBDCE0 FindFirstFileExW,	21_2_000001160CBBDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001428DCFDCE0 FindFirstFileExW,	22_2_000001428DCFDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000257E10ADCE0 FindFirstFileExW,	23_2_00000257E10ADCE0
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001F28C93DCE0 FindFirstFileExW,	24_2_000001F28C93DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001CA9854DCE0 FindFirstFileExW,	25_2_000001CA9854DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001D26531DCE0 FindFirstFileExW,	26_2_000001D26531DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_00000254A27DDCE0 FindFirstFileExW,	27_2_00000254A27DDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_0000024B87DDDCE0 FindFirstFileExW,	28_2_0000024B87DDDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_00000205FD40DCE0 FindFirstFileExW,	29_2_00000205FD40DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_000001A2056ADCE0 FindFirstFileExW,	30_2_000001A2056ADCE0
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000018EC1F6DCE0 FindFirstFileExW,	31_2_0000018EC1F6DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_0000025CE3E0DCE0 FindFirstFileExW,	32_2_0000025CE3E0DCE0

Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe

Code function: 17_2_00007FF69A504E38 VirtualQuery,GetSystemInfo,

17_2_00007FF69A504E38

Source: C:\Windows\System32\svchost.exe

Thread delayed: delay time: 30000

Jump to behavior

Source: Amcache.hve.12.dr	Binary or memory string: VMware
Source: Microsoft-Windows-Partition%4Diagnostic.evtx.29.dr	Binary or memory string: VMwareVirtual disk2.06000c292b65879ff477a6af604113f58PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: svchost.exe, 0000001D.00000000.2155812268.00000205FAC2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3363230253.00000205FAC2B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @Microsoft-Windows-Hyper-V-Hypervisor
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: svchost.exe, 0000001D.00000002.3363969303.00000205FAC43000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: (@vmci
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.29.dr	Binary or memory string: VMware SATA CD00
Source: Amcache.hve.12.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: svchost.exe, 0000001B.00000002.3359707590.00000254A202B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.29.dr	Binary or memory string: NECVMWarVMware SATA CD00
Source: svchost.exe, 00000014.00000002.3380399219.000001D270015000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NXTcpV6VMWare
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.29.dr	Binary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: WerFault.exe, 0000000C.00000003.2198697961.000002A6707A7000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.2196345877.000002A6707AA000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000002.2201679415.000002A6707AC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3365424692.000001D26F2C8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3405102430.000001428B106000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3401782467.000001428A88A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: dwm.exe, 00000015.00000002.3409607467.0000011607ED0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000=
Source: Amcache.hve.12.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: WerFault.exe, 0000000C.00000003.2198447758.000002A670BA6000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000002.2202009507.000002A670BA6000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.2196103434.000002A670BA6000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.2195755219.000002A670BA6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.29.dr	Binary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.29.dr	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
Source: svchost.exe, 0000001D.00000003.3246807466.00000205FD225000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value)
Source: dwm.exe, 00000015.00000002.3409607467.0000011607ED0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: svchost.exe, 0000001D.00000002.3365803568.00000205FAC96000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMCI: Using capabilities (0x1c).
Source: Amcache.hve.12.dr	Binary or memory string: vmci.sys
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.29.dr	Binary or memory string: VMwareVirtual disk6000c292b65879ff477a6af604113f588
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.29.dr	Binary or memory string: nonicNECVMWarVMware SATA CD00
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.29.dr	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
Source: svchost.exe, 0000001D.00000000.2157231187.00000205FB933000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmcir:m
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.12.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.12.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.12.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: svchost.exe, 0000001D.00000003.3246807466.00000205FD225000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "Service" -or $pr.Name -eq "Description") -and ($pr.Value -match 'VEN_80EE' -or $pr.Value -match 'VEN_15AD' -or $pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMWare' -or $pr.Value -match '82801FB' -or $pr.Value -match '82441FX' -or $pr.Value -match '82371SB' -or $pr.Value -match 'OpenHCD'))
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.29.dr	Binary or memory string: VMware
Source: Amcache.hve.12.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.12.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.29.dr	Binary or memory string: nonicVMware Virtual disk 6000c292b65879ff477a6af604113f58
Source: svchost.exe, 0000001D.00000003.3246807466.00000205FD225000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter'))
Source: Amcache.hve.12.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.29.dr	Binary or memory string: VMware Virtual disk 2.0 6000c292b65879ff477a6af604113f58PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual USB Mouse
Source: lsass.exe, 00000012.00000000.2099478451.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicvssNT SERVICE
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.12.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.12.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.12.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.29.dr	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
Source: dwm.exe, 00000015.00000002.3409607467.0000011607ED0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: PointVMware&P
Source: Microsoft-Windows-WER-PayloadHealth%4Operational.evtx.29.dr	Binary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.29.dr	Binary or memory string: storahciNECVMWarVMware SATA CD00
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Amcache.hve.12.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.29.dr	Binary or memory string: LSI_SASVMware Virtual disk 6000c292b65879ff477a6af604113f58
Source: Amcache.hve.12.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: lsass.exe, 00000012.00000000.2099340676.00000140AD813000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3357881957.00000140AD813000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000000.2102698505.00000195DD613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3358537577.00000195DD613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.2120894664.000001428A88A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.3358126937.000001F28C22B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.2137095808.000001F28C22B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2138316510.000001CA9782A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.3350863396.000001CA9782A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000000.2142892913.00000254A2043000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.3360387148.00000254A2043000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: lsass.exe, 00000012.00000000.2099478451.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicshutdownNT SERVICE
Source: Amcache.hve.12.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.12.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: svchost.exe, 00000016.00000002.3401782467.000001428A88A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @Hyper-V RAW%\System32\ci.dll,-101
Source: Amcache.hve.12.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: lsass.exe, 00000012.00000002.3377900817.00000140AE209000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.29.dr	Binary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 0000001D.00000003.3246807466.00000205FD225000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value)
Source: svchost.exe, 0000001D.00000003.3246807466.00000205FD225000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value)
Source: svchost.exe, 00000013.00000003.2651893903.00000195DD66A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 00000025.00000002.3353534450.000001B278E02000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: Amcache.hve.12.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: lsass.exe, 00000012.00000000.2099478451.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicheartbeatNT SERVICE
Source: svchost.exe, 00000014.00000002.3359539176.000001D26F227000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: svchost.exe, 0000001D.00000003.3246807466.00000205FD225000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware'))

Source: C:\Windows\System32\dialer.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\dialer.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\winlogon.exe

Code function: 10_2_000001E858987D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

10_2_000001E858987D90

Contains functionality to dynamically determine API calls

Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe

Code function: 17_2_00007FF69A504AC0 memset,GetVersionExW,memset,GetSystemDirectoryW,lstrlenW,lstrlenW,LoadLibraryW,GetProcAddress,FreeLibrary,

17_2_00007FF69A504AC0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\System32\dialer.exe

Code function: 5_2_00000001400017EC GetProcessHeap,RtlAllocateHeap,OpenProcess,TerminateProcess,CloseHandle,GetProcessHeap,HeapFree,

5_2_00000001400017EC

Enables debug privileges

Source: C:\Windows\System32\dialer.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	Code function: 3_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,exit,	3_2_0000000140001160
Source: C:\Windows\System32\winlogon.exe	Code function: 10_2_000001E858987D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_000001E858987D90
Source: C:\Windows\System32\winlogon.exe	Code function: 10_2_000001E85898D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_000001E85898D2A4
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe	Code function: 17_2_00007FF69A505D44 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_00007FF69A505D44
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe	Code function: 17_2_00007FF69A505AB4 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_00007FF69A505AB4
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe	Code function: 17_2_00007FF69A505C50 SetUnhandledExceptionFilter,	17_2_00007FF69A505C50
Source: C:\Windows\System32\lsass.exe	Code function: 18_2_00000140AE867D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00000140AE867D90
Source: C:\Windows\System32\lsass.exe	Code function: 18_2_00000140AE86D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00000140AE86D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000195DD5CD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_00000195DD5CD2A4
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000195DD5C7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_00000195DD5C7D90
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000001D270237D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_000001D270237D90
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000001D27023D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_000001D27023D2A4
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_000001160CBBD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_000001160CBBD2A4
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_000001160CBB7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_000001160CBB7D90
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001428DCFD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_000001428DCFD2A4
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001428DCF7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_000001428DCF7D90
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000257E10AD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_00000257E10AD2A4
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000257E10A7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_00000257E10A7D90
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001F28C937D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_000001F28C937D90
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001F28C93D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_000001F28C93D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001CA9854D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_000001CA9854D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001CA98547D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_000001CA98547D90
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001D265317D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_000001D265317D90
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001D26531D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_000001D26531D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_00000254A27DD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_00000254A27DD2A4
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_00000254A27D7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_00000254A27D7D90
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_0000024B87DDD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	28_2_0000024B87DDD2A4
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_0000024B87DD7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	28_2_0000024B87DD7D90
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_00000205FD40D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_00000205FD40D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_00000205FD407D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_00000205FD407D90
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_000001A2056AD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	30_2_000001A2056AD2A4
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_000001A2056A7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	30_2_000001A2056A7D90
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000018EC1F67D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_0000018EC1F67D90
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000018EC1F6D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_0000018EC1F6D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_0000025CE3E0D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	32_2_0000025CE3E0D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_0000025CE3E07D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	32_2_0000025CE3E07D90

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140000000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\winlogon.exe base: 1E858950000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\lsass.exe base: 140ADFC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 195DD590000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dwm.exe base: 1160CB80000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 257E1070000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1F28C1D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1CA97FD0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D2652E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 254A27A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 24B87DA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 205FB3C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1A205670000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 18EC1F30000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 25CE3BC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 26238950000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2786E560000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1611FF70000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 27C0F350000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1B279570000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1E70A460000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 22D13120000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 22C8C580000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2825F1D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2AA5D9C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20BAEC90000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D2DC1B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1C782530000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\spoolsv.exe base: A60000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 24066EB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1A3FD9A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 181CEDB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2A142790000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 195B6F30000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1428DCC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1B973730000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DBF9DA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D76CCC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1A239D90000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 17CFA390000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 23FB7270000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DF53B50000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 164E88A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 25177B50000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 28D5D340000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\sihost.exe base: 24EB5E10000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20859990000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1F153C20000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D241D40000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 16FADAD0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\ctfmon.exe base: 20E03070000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 15204DB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\explorer.exe base: 87B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 175C5280000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dasHost.exe base: 1CE76AA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 22EF1B30000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1C7F34F0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 261DE4D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 22E74520000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 1B1A9D00000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 217AF8C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\smartscreen.exe base: 226D8930000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 13E5E930000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F844120000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 21197E30000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 223DC870000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 1B4698D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 28AF9060000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 27234C50000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 28543540000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\audiodg.exe base: 2B684340000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1BE58920000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 21300150000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 19842D80000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1C5C1BA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1067B150000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2855C050000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 22CCE8F0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 1E9FB500000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe base: 21E18980000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 286545D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1FAD81D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D270200000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 26907AA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 26908540000 protect: page execute and read and write	Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\System32\dialer.exe

Code function: 5_2_0000000140001C88 CreateProcessW,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,OpenProcess,TerminateProcess,

5_2_0000000140001C88

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\winlogon.exe EIP: 5895273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\lsass.exe EIP: ADFC273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: DD59273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\dwm.exe EIP: CB8273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: E107273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 8C1D273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 97FD273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 652E273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: A27A273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 87DA273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: FB3C273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 567273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: C1F3273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: E3BC273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 3895273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 6E56273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 1FF7273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: F35273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 7957273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: A46273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 1312273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 8C58273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5F1D273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5D9C273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: AEC9273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DC1B273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8253273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A6273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 66EB273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FD9A273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: CEDB273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4279273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: B6F3273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 8DCC273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7373273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F9DA273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6CCC273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 39D9273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FA39273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: B727273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 53B5273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E88A273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 77B5273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5D34273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: B5E1273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5999273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 53C2273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 41D4273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: ADAD273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 307273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4DB273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 87B273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C528273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 76AA273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F1B3273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F34F273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DE4D273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7452273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A9D0273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: AF8C273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D893273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5E93273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4412273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 97E3273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DC87273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 698D273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F906273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 34C5273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4354273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8434273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5892273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 15273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 42D8273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C1BA273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7B15273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5C05273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: CE8F273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FB50273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 545D273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D81D273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 7020273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7AA273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 854273C	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140000000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 1E858950000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 140ADFC0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 195DD590000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 1160CB80000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 257E1070000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F28C1D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CA97FD0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2652E0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 254A27A0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24B87DA0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 205FB3C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A205670000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 18EC1F30000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 25CE3BC0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26238950000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2786E560000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1611FF70000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 27C0F350000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B279570000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E70A460000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22D13120000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22C8C580000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2825F1D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AA5D9C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20BAEC90000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2DC1B0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C782530000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\spoolsv.exe base: A60000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24066EB0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A3FD9A0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 181CEDB0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A142790000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 195B6F30000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DCC0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1B973730000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DBF9DA0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D76CCC0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A239D90000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17CFA390000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FB7270000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DF53B50000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 164E88A0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 25177B50000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 28D5D340000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sihost.exe base: 24EB5E10000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20859990000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F153C20000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D241D40000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 16FADAD0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 20E03070000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 15204DB0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\explorer.exe base: 87B0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 175C5280000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dasHost.exe base: 1CE76AA0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22EF1B30000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1C7F34F0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 261DE4D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 22E74520000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1B1A9D00000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 217AF8C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 226D8930000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 13E5E930000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F844120000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 21197E30000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 223DC870000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 1B4698D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 28AF9060000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 27234C50000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 28543540000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\audiodg.exe base: 2B684340000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1BE58920000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 21300150000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 19842D80000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1C5C1BA0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1067B150000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2855C050000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 22CCE8F0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1E9FB500000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe base: 21E18980000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 286545D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FAD81D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D270200000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 26907AA0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 26908540000 value starts with: 4D5A	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\dialer.exe

Memory written: PID: 1028 base: 87B0000 value: 4D

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Thread register set: target process: 3292			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	Thread register set: target process: 7184			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140000000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140001000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140008000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 14000A000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 1402BD000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 1402BE000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 1402BF000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 1402C0000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 44B80EB010	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 1E858950000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 140ADFC0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 195DD590000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 1160CB80000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 257E1070000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F28C1D0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CA97FD0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2652E0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 254A27A0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24B87DA0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 205FB3C0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A205670000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 18EC1F30000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 25CE3BC0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26238950000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2786E560000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1611FF70000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 27C0F350000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B279570000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E70A460000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22D13120000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22C8C580000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2825F1D0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AA5D9C0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20BAEC90000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2DC1B0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C782530000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\spoolsv.exe base: A60000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24066EB0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A3FD9A0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 181CEDB0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A142790000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 195B6F30000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DCC0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1B973730000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DBF9DA0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D76CCC0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A239D90000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17CFA390000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FB7270000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DF53B50000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 164E88A0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 25177B50000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 28D5D340000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sihost.exe base: 24EB5E10000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20859990000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F153C20000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D241D40000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 16FADAD0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 20E03070000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 15204DB0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\explorer.exe base: 87B0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 175C5280000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dasHost.exe base: 1CE76AA0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22EF1B30000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1C7F34F0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 261DE4D0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 22E74520000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1B1A9D00000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 217AF8C0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 226D8930000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 13E5E930000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F844120000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 21197E30000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 223DC870000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 1B4698D0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 28AF9060000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 27234C50000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 28543540000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\audiodg.exe base: 2B684340000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1BE58920000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 21300150000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 19842D80000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1C5C1BA0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1067B150000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2855C050000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 22CCE8F0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1E9FB500000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe base: 21E18980000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 286545D0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FAD81D0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D270200000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 26907AA0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 26908540000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D26FF60000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D26FF70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D26FF70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D26FF70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D26FF70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D26FF70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D26FF70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D26FF70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D26FF70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D26FF70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D26FF70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D26FF70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DC90000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DC90000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DC90000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DC90000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DC90000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DC90000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DC90000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DC90000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DC90000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DC90000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DC90000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D26FFE0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D26FFF0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WerFault.exe base: 2A66FD70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WerFault.exe base: 2A66FD70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WerFault.exe base: 2A66FD70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WerFault.exe base: 2A66FD70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WerFault.exe base: 2A66FD70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WerFault.exe base: 2A66FD70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WerFault.exe base: 2A66FD70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WerFault.exe base: 2A66FD70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WerFault.exe base: 2A66FD70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WerFault.exe base: 2A66FD70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WerFault.exe base: 2A66FD70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428D8A0000	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe			Jump to behavior

Source: C:\Windows\System32\dialer.exe

Code function: 5_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

5_2_0000000140001B54

Source: C:\Windows\System32\dialer.exe

Code function: 5_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

5_2_0000000140001B54

Source: winlogon.exe, 0000000A.00000000.2096011169.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000000A.00000002.3372730897.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000015.00000000.2110843949.0000011605EC1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: winlogon.exe, 0000000A.00000000.2096011169.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000000A.00000002.3372730897.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000015.00000000.2110843949.0000011605EC1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: winlogon.exe, 0000000A.00000000.2096011169.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000000A.00000002.3372730897.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000015.00000000.2110843949.0000011605EC1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: winlogon.exe, 0000000A.00000000.2096011169.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000000A.00000002.3372730897.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000015.00000000.2110843949.0000011605EC1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\winlogon.exe

Code function: 10_2_000001E8589636F0 cpuid

10_2_000001E8589636F0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\config.json VolumeInformation

Source: C:\Windows\System32\dialer.exe

Code function: 5_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

5_2_0000000140001B54

Source: C:\Windows\System32\winlogon.exe

Code function: 10_2_000001E858987960 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

10_2_000001E858987960

Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe

Code function: 17_2_00007FF69A504AC0 memset,GetVersionExW,memset,GetSystemDirectoryW,lstrlenW,lstrlenW,LoadLibraryW,GetProcAddress,FreeLibrary,

17_2_00007FF69A504AC0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.12.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: svchost.exe, 0000001D.00000000.2160181582.00000205FD1B1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.3246737581.00000205FD1B1000.00000004.00000001.00020000.00000000.sdmp, Amcache.hve.12.dr, Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.29.dr	Binary or memory string: MsMpEng.exe

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.8

Contacted Domains

Name	IP	Active
fp2e7a.wpc.phicdn.net	192.229.211.108	true

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Virustotal: Detection: 16%			Perma Link
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	ReversingLabs: Detection: 13%

Machine Learning detection for sample

Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe

Code function: 17_2_00007FF69A504C1C CryptReleaseContext,

17_2_00007FF69A504C1C

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe PID: 4092, type: MEMORYSTR

Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\Fallkyriya.pdbpdbiya.pdb> source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\Fallkyriya\obj\Release\Fallkyriya.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000001C.00000002.3354678483.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150724621.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\Fallkyriya.pdbX source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERA249.tmp.dmp.12.dr
Source:	Binary string: Fallkyriya.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B98000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000001C.00000002.3353855453.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150571107.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WERA249.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B98000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct4B1.tmpp.pdb source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: indoC:\Windows\Fallkyriya.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb* source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.Core.ni.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: pC:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.PDB source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: SecuriteInfo.com.Win64.RATX-gen.30029.14447.PDB source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 0000001C.00000002.3354678483.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150724621.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: assembly\GAC_MSC:\Users\user\Desktop\Fallkyriya.pdb3f@ source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Fallkyriya.pdbpdbE source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.Drawing.pdbMicrosoft.VisualBasic.ni.dll source: WERA249.tmp.dmp.12.dr
Source:	Binary string: mscorlib.ni.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E186D2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E18669000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb; source: WERA249.tmp.dmp.12.dr
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdba@V source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERA249.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Users\user\Desktop\Fallkyriya.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\Fallkyriya\obj\Release\Fallkyriya.pdbll source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E18669000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\Fallkyriya.pdb< source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.PDB source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct42C5.tmp.pdb source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.Xml.ni.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wct4B1.tmpp.pdb source: svchost.exe, 0000001C.00000000.2150724621.0000024B87641000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.3354678483.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERA249.tmp.dmp.12.dr
Source:	Binary string: +@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000001C.00000002.3353855453.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150571107.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: WerFault.exe, 0000000C.00000003.2198769278.000002A66DC70000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000002.2200438015.000002A66DC70000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\Fallkyriya.pdbbg source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbF source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E18669000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: mscorlib.pdb0 source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B98000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8C:\Windows\Fallkyriya.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERA249.tmp.dmp.12.dr
Source:	Binary string: ~1.PDB @ source: svchost.exe, 0000001C.00000002.3354678483.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150724621.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.Xml.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B98000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: aspnet_wp.pdb source: aspnet_wp.exe, 00000003.00000003.2096098027.000001F51DBF0000.00000004.00000001.00020000.00000000.sdmp, oapavmkbdsqp.exe, 00000011.00000002.2098760613.00007FF69A507000.00000004.00000001.01000000.0000000B.sdmp, oapavmkbdsqp.exe, 00000011.00000000.2098305062.00007FF69A507000.00000002.00000001.01000000.0000000B.sdmp, oapavmkbdsqp.exe.3.dr
Source:	Binary string: n.pdb? source: WerFault.exe, 0000000C.00000003.2198769278.000002A66DC70000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000002.2200438015.000002A66DC70000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbp source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbON.dll source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E18669000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct42C5.tmp.pdb source: svchost.exe, 0000001C.00000000.2150724621.0000024B87641000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.3354678483.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\Fallkyriya.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Fallkyriya.pdbp< source: WERA249.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000001C.00000002.3354678483.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150724621.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.Core.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\Fallkyriya.pdbf source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorb source: svchost.exe, 0000001C.00000002.3353855453.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150571107.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: .pdbH source: WerFault.exe, 0000000C.00000003.2198769278.000002A66DC70000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000002.2200438015.000002A66DC70000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\Fallkyriya\obj\Release\Fallkyriya.pdb {a source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbY source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E186D2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000001C.00000002.3353855453.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150571107.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb@ source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.ni.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERA249.tmp.dmp.12.dr
Source:	Binary string: C:\Users.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp

Source: C:\Windows\System32\winlogon.exe	Code function: 10_2_000001E85898DCE0 FindFirstFileExW,	10_2_000001E85898DCE0
Source: C:\Windows\System32\lsass.exe	Code function: 18_2_00000140AE86DCE0 FindFirstFileExW,	18_2_00000140AE86DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000195DD5CDCE0 FindFirstFileExW,	19_2_00000195DD5CDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000001D27023DCE0 FindFirstFileExW,	20_2_000001D27023DCE0
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_000001160CBBDCE0 FindFirstFileExW,	21_2_000001160CBBDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001428DCFDCE0 FindFirstFileExW,	22_2_000001428DCFDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000257E10ADCE0 FindFirstFileExW,	23_2_00000257E10ADCE0
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001F28C93DCE0 FindFirstFileExW,	24_2_000001F28C93DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001CA9854DCE0 FindFirstFileExW,	25_2_000001CA9854DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001D26531DCE0 FindFirstFileExW,	26_2_000001D26531DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_00000254A27DDCE0 FindFirstFileExW,	27_2_00000254A27DDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_0000024B87DDDCE0 FindFirstFileExW,	28_2_0000024B87DDDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_00000205FD40DCE0 FindFirstFileExW,	29_2_00000205FD40DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_000001A2056ADCE0 FindFirstFileExW,	30_2_000001A2056ADCE0
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000018EC1F6DCE0 FindFirstFileExW,	31_2_0000018EC1F6DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_0000025CE3E0DCE0 FindFirstFileExW,	32_2_0000025CE3E0DCE0

Source: lsass.exe, 00000012.00000002.3371700118.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099752391.00000140AE074000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://3csp.icrosof4m/ocp0
Source: svchost.exe, 00000014.00000003.2159700453.000001D26FB78000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3376019995.000001D26FB37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2159582249.000001D26FB74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS
Source: svchost.exe, 00000014.00000003.2159582249.000001D26FB74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd
Source: Microsoft-Windows-LiveId%4Operational.evtx.29.dr	String found in binary or memory: http://Passport.NET/tb
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3368479430.000001D26F2E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb:pp
Source: svchost.exe, 00000014.00000002.3368479430.000001D26F2E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb_
Source: lsass.exe, 00000012.00000002.3375621134.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099913058.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099658073.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3367839051.00000140AE000000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: lsass.exe, 00000012.00000000.2099690859.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000003.2195174266.00000140AE172000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3369125884.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099809258.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3374306688.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 00000012.00000002.3361207736.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3371700118.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099752391.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099478451.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: lsass.exe, 00000012.00000000.2099913058.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3375621134.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099913058.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099658073.00000140AE000000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: svchost.exe, 00000014.00000002.3365424692.000001D26F2C8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000003.2137719803.000001428B134000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3406124581.000001428B161000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: lsass.exe, 00000012.00000002.3375621134.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099913058.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099658073.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3367839051.00000140AE000000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: lsass.exe, 00000012.00000000.2099690859.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000003.2195174266.00000140AE172000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3369125884.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099809258.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3374306688.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 00000012.00000002.3361207736.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3371700118.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099752391.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099478451.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: lsass.exe, 00000012.00000000.2099913058.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3375621134.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099913058.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099658073.00000140AE000000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: lsass.exe, 00000012.00000003.2195174266.00000140AE172000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099809258.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3374306688.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: lsass.exe, 00000012.00000000.2099690859.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000003.2195174266.00000140AE172000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3369125884.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099809258.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3374306688.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000012.00000002.3361207736.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3371700118.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099752391.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099478451.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: lsass.exe, 00000012.00000000.2099913058.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3375621134.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099913058.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099658073.00000140AE000000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: svchost.exe, 00000016.00000002.3402192589.000001428A8B0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: lsass.exe, 00000012.00000002.3361207736.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099478451.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: svchost.exe, 00000016.00000002.3402192589.000001428A8B0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3401575292.000001428A879000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.2120712175.000001428A82B000.00000004.00000001.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085061.22.dr, 77EC63BDA74BD0D0E0426DC8F80085062.22.dr, 77EC63BDA74BD0D0E0426DC8F80085060.22.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: svchost.exe, 00000016.00000002.3400812401.000001428A840000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab9749
Source: svchost.exe, 00000016.00000002.3400812401.000001428A840000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabab
Source: svchost.exe, 00000016.00000002.3400812401.000001428A840000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabe.comfc
Source: svchost.exe, 00000016.00000002.3401782467.000001428A88A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3405495654.000001428B113000.00000004.00000001.00020000.00000000.sdmp, 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.22.dr, 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.20.dr, 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.22.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: svchost.exe, 00000016.00000002.3401575292.000001428A879000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cabI7w
Source: svchost.exe, 00000016.00000002.3402192589.000001428A8B0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3401378467.000001428A85C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3401575292.000001428A879000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3406124581.000001428B161000.00000004.00000001.00020000.00000000.sdmp, FB0D848F74F70BB2EAA93746D24D97492.22.dr, FB0D848F74F70BB2EAA93746D24D97490.22.dr, FB0D848F74F70BB2EAA93746D24D97491.22.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab
Source: svchost.exe, 00000016.00000000.2120843468.000001428A879000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab$
Source: svchost.exe, 00000016.00000002.3401782467.000001428A88A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3401575292.000001428A879000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?40a06a98da234
Source: svchost.exe, 00000016.00000002.3405495654.000001428B113000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?40a06a98da
Source: lsass.exe, 00000012.00000000.2099357497.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3358536227.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 00000012.00000000.2099376620.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3359488205.00000140AD850000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: svchost.exe, 00000014.00000003.2166606231.000001D26FB6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2159582249.000001D26FB74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: svchost.exe, 00000014.00000002.3373876160.000001D26FB00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAA
Source: svchost.exe, 00000014.00000003.2166505496.000001D26FB74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2166606231.000001D26FB6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdes
Source: svchost.exe, 00000014.00000003.2179761558.000001D26FB6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2166505496.000001D26FB74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2179854209.000001D26FB76000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2166606231.000001D26FB6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsds
Source: svchost.exe, 00000014.00000003.2166606231.000001D26FB6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2159582249.000001D26FB74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: svchost.exe, 00000014.00000002.3373876160.000001D26FB00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdA
Source: svchost.exe, 00000014.00000003.2187849238.000001D26FB74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3376732091.000001D26FB5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds
Source: svchost.exe, 0000001D.00000000.2160841226.00000205FD384000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID
Source: svchost.exe, 00000016.00000000.2120943673.000001428A8B0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.2120712175.000001428A82B000.00000004.00000001.00020000.00000000.sdmp, E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A0.22.dr, E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB6151870.22.dr, 80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868.22.dr, E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB041.22.dr, E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB040.22.dr	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uN
Source: svchost.exe, 00000016.00000003.2890179341.000001428B139000.00000004.00000001.00020000.00000000.sdmp, EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118A.22.dr	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuN
Source: lsass.exe, 00000012.00000002.3361207736.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099690859.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3371700118.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3375621134.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099752391.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000003.2195174266.00000140AE172000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3369125884.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099809258.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3374306688.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099478451.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099913058.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099658073.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3367839051.00000140AE000000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 00000012.00000003.2195174266.00000140AE172000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099809258.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3374306688.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: lsass.exe, 00000012.00000000.2099913058.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3375621134.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099913058.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099658073.00000140AE000000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: lsass.exe, 00000012.00000000.2099658073.00000140AE000000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.
Source: lsass.exe, 00000012.00000000.2099752391.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000003.2195174266.00000140AE172000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099809258.00000140AE151000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3374306688.00000140AE19E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000014.00000002.3380399219.000001D270015000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://passport.net/tb
Source: svchost.exe, 0000001E.00000000.2163309909.000001A204EE0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: svchost.exe, 00000014.00000002.3376732091.000001D26FB5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: svchost.exe, 00000014.00000002.3376019995.000001D26FB37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: lsass.exe, 00000012.00000000.2099357497.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3358536227.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3373876160.000001D26FB00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3376732091.000001D26FB5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3376019995.000001D26FB37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: svchost.exe, 00000014.00000003.2179761558.000001D26FB6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3376732091.000001D26FB5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2166606231.000001D26FB6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy=80601
Source: svchost.exe, 00000014.00000002.3376732091.000001D26FB5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3376019995.000001D26FB37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: svchost.exe, 00000014.00000002.3376732091.000001D26FB5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scrf
Source: lsass.exe, 00000012.00000000.2099357497.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3358536227.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3376732091.000001D26FB5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: svchost.exe, 00000014.00000003.2179761558.000001D26FB6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2166606231.000001D26FB6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: svchost.exe, 00000014.00000003.2179761558.000001D26FB6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3376732091.000001D26FB5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2166606231.000001D26FB6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuee
Source: svchost.exe, 00000014.00000003.2179761558.000001D26FB6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuesue
Source: svchost.exe, 00000014.00000002.3376732091.000001D26FB5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issueure
Source: svchost.exe, 00000014.00000003.2179761558.000001D26FB6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3387513797.000001D2700ED000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3363431912.000001D26F29F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3376732091.000001D26FB5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2166606231.000001D26FB6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: svchost.exe, 00000014.00000003.2179761558.000001D26FB6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3376732091.000001D26FB5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2166606231.000001D26FB6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: svchost.exe, 00000014.00000002.3376019995.000001D26FB37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustn
Source: lsass.exe, 00000012.00000000.2099376620.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3359488205.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099357497.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3358536227.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: lsass.exe, 00000012.00000002.3358536227.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 00000012.00000000.2099357497.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3358536227.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
Source: lsass.exe, 00000012.00000002.3358536227.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: Amcache.hve.12.dr	String found in binary or memory: http://upx.sf.net
Source: lsass.exe, 00000012.00000000.2099913058.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3375621134.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099913058.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000000.2099658073.00000140AE000000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: svchost.exe, 00000026.00000002.3402968021.000001E709ED9000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000000.2186905204.000001E709ED9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.msftconnecttest.com
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502.live.com/
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2108084375.000001D26FB56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601?id=80600
Source: svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 00000014.00000003.2108084375.000001D26FB56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600-
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601Connect
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603up.aspx?iw
Source: svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604Login.srf?
Source: svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605OOBESignUp
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107572404.000001D26FB57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/msangcwam
Source: svchost.exe, 0000001D.00000000.2160841226.00000205FD384000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3408540658.00000205FD384000.00000004.00000001.00020000.00000000.sdmp, Microsoft-Windows-Bits-Client%4Operational.evtx.29.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod
Source: svchost.exe, 0000001D.00000000.2160841226.00000205FD384000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3408540658.00000205FD384000.00000004.00000001.00020000.00000000.sdmp, Microsoft-Windows-Bits-Client%4Operational.evtx.29.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdC:
Source: svchost.exe, 0000001D.00000000.2160841226.00000205FD384000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3408540658.00000205FD384000.00000004.00000001.00020000.00000000.sdmp, Microsoft-Windows-Bits-Client%4Operational.evtx.29.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2C:
Source: svchost.exe, 0000001D.00000000.2160841226.00000205FD384000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3408540658.00000205FD384000.00000004.00000001.00020000.00000000.sdmp, Microsoft-Windows-Bits-Client%4Operational.evtx.29.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2f%
Source: svchost.exe, 00000014.00000002.3382740126.000001D27005B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srf
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srfr.srf
Source: svchost.exe, 00000014.00000003.2108084375.000001D26FB56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 00000014.00000003.2108084375.000001D26FB56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107681738.000001D26FB6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107681738.000001D26FB6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 00000014.00000003.2106905094.000001D26FB2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107681738.000001D26FB6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ListSessions.srf
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srf
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageLoginKeys.srf
Source: svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2129547954.000001D27003C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srf
Source: svchost.exe, 00000014.00000002.3368479430.000001D26F2E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srfd
Source: svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/didtou.srf
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getrealminfo.srf
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getuserrealm.srf
Source: svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srfIssuerP
Source: svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
Source: svchost.exe, 00000014.00000003.2107729408.000001D26FB27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srff
Source: svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107729408.000001D26FB27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 00000014.00000003.2107729408.000001D26FB27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srfX
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrf
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107681738.000001D26FB6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
Source: svchost.exe, 00000014.00000003.2106905094.000001D26FB2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107681738.000001D26FB6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
Source: svchost.exe, 00000014.00000002.3385230486.000001D2700A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf?stsft=-Dn
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2108084375.000001D26FB56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600ve.com/si
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601xists.srf
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603ecure/Inl
Source: svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604//account
Source: svchost.exe, 00000014.00000002.3382740126.000001D27005B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107681738.000001D26FB6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
Source: svchost.exe, 00000014.00000003.2106905094.000001D26FB2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502&id=806
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600avor=4&
Source: svchost.exe, 00000014.00000003.2108084375.000001D26FB56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601/Password/C
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806014
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603IDs
Source: svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806043
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604in.live.com
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604nkId=253457
Source: svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605nAuthUp
Source: svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606d=80601
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107572404.000001D26FB57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
Source: svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 00000014.00000003.2106905094.000001D26FB2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107231250.000001D26FB5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cpBk0
Source: svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107299555.000001D26FB52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2106905094.000001D26FB29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605600
Source: svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
Source: svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
Source: svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srfDW
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107032469.000001D26F24F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/resetpw.srf
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/resetpw.srf.srf
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/retention.srf
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/retention.srfce
Source: svchost.exe, 00000014.00000002.3382740126.000001D27005B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3387513797.000001D2700ED000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3363431912.000001D26F29F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3362248015.000001D26F285000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com:443/RST2.srf
Source: svchost.exe, 00000014.00000002.3376019995.000001D26FB37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com:443/RST2.srf56
Source: svchost.exe, 00000014.00000002.3380399219.000001D270015000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.comepp
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf(
Source: svchost.exe, 00000014.00000003.2107515055.000001D26FB3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107649785.000001D26FB63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 00000014.00000002.3361081833.000001D26F25F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srfData.srf
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 00000014.00000003.2107729408.000001D26FB27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srfMM
Source: svchost.exe, 00000014.00000002.3360284138.000001D26F23F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 00000014.00000003.2107597459.000001D26FB40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://signup.live.com/signup.aspx

Drops certificate files (DER)

Source: C:\Windows\System32\svchost.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	Jump to dropped file
Source: C:\Windows\System32\svchost.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	Jump to dropped file
Source: C:\Windows\System32\svchost.exe	File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	Jump to dropped file

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	Code function: 3_2_0000000140001394 NtEnumerateBootEntries,	3_2_0000000140001394
Source: C:\Windows\System32\dialer.exe	Code function: 5_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,FindCloseChangeNotification,CloseHandle,	5_2_00000001400010C0
Source: C:\Windows\System32\winlogon.exe	Code function: 10_2_000001E8589828C8 NtEnumerateValueKey,NtEnumerateValueKey,	10_2_000001E8589828C8
Source: C:\Windows\System32\lsass.exe	Code function: 18_2_00000140AE86202C NtQuerySystemInformation,StrCmpNIW,	18_2_00000140AE86202C
Source: C:\Windows\System32\lsass.exe	Code function: 18_2_00000140AE86253C NtQueryDirectoryFileEx,GetFileType,StrCpyW,	18_2_00000140AE86253C
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_000001160CBB28C8 NtEnumerateValueKey,NtEnumerateValueKey,	21_2_000001160CBB28C8
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001428DCF253C NtQueryDirectoryFileEx,GetFileType,StrCpyW,	22_2_000001428DCF253C
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001428DCF202C NtQuerySystemInformation,StrCmpNIW,	22_2_000001428DCF202C

Creates files inside the system directory

Source: C:\Windows\System32\lsass.exe	File created: C:\Windows\system32\Microsoft\Protect\S-1-5-18\User\ebb8ddf7-299c-407a-b421-a800626bb459	Jump to behavior
Source: C:\Windows\System32\lsass.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	Jump to behavior
Source: C:\Windows\System32\lsass.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\lsass.exe

File deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Code function: 0_2_00007FF848F14EC0	0_2_00007FF848F14EC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Code function: 0_2_00007FF848F21175	0_2_00007FF848F21175
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Code function: 0_2_00007FF848F1B060	0_2_00007FF848F1B060
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Code function: 0_2_00007FF848F1E369	0_2_00007FF848F1E369
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Code function: 0_2_00007FF848F16F71	0_2_00007FF848F16F71
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Code function: 0_2_00007FF848F1DBBA	0_2_00007FF848F1DBBA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Code function: 0_2_00007FF848F1E7F1	0_2_00007FF848F1E7F1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Code function: 0_2_00007FF848F163F3	0_2_00007FF848F163F3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Code function: 0_2_00007FF848F111FA	0_2_00007FF848F111FA
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	Code function: 3_2_0000000140003B30	3_2_0000000140003B30
Source: C:\Windows\System32\dialer.exe	Code function: 5_2_000000014000226C	5_2_000000014000226C
Source: C:\Windows\System32\dialer.exe	Code function: 5_2_00000001400014D8	5_2_00000001400014D8
Source: C:\Windows\System32\dialer.exe	Code function: 5_2_0000000140002560	5_2_0000000140002560
Source: C:\Windows\System32\winlogon.exe	Code function: 10_2_000001E858951F2C	10_2_000001E858951F2C
Source: C:\Windows\System32\winlogon.exe	Code function: 10_2_000001E8589638A8	10_2_000001E8589638A8
Source: C:\Windows\System32\winlogon.exe	Code function: 10_2_000001E85895D0E0	10_2_000001E85895D0E0
Source: C:\Windows\System32\winlogon.exe	Code function: 10_2_000001E858982B2C	10_2_000001E858982B2C
Source: C:\Windows\System32\winlogon.exe	Code function: 10_2_000001E8589944A8	10_2_000001E8589944A8
Source: C:\Windows\System32\winlogon.exe	Code function: 10_2_000001E85898DCE0	10_2_000001E85898DCE0
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe	Code function: 17_2_00007FF69A50307C	17_2_00007FF69A50307C
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe	Code function: 17_2_00007FF69A501E74	17_2_00007FF69A501E74
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe	Code function: 17_2_00007FF69A505ED0	17_2_00007FF69A505ED0
Source: C:\Windows\System32\lsass.exe	Code function: 18_2_00000140ADFC1F2C	18_2_00000140ADFC1F2C
Source: C:\Windows\System32\lsass.exe	Code function: 18_2_00000140ADFCD0E0	18_2_00000140ADFCD0E0
Source: C:\Windows\System32\lsass.exe	Code function: 18_2_00000140ADFD38A8	18_2_00000140ADFD38A8
Source: C:\Windows\System32\lsass.exe	Code function: 18_2_00000140AE86DCE0	18_2_00000140AE86DCE0
Source: C:\Windows\System32\lsass.exe	Code function: 18_2_00000140AE8744A8	18_2_00000140AE8744A8
Source: C:\Windows\System32\lsass.exe	Code function: 18_2_00000140AE862B2C	18_2_00000140AE862B2C
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000195DD59D0E0	19_2_00000195DD59D0E0
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000195DD5A38A8	19_2_00000195DD5A38A8
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000195DD591F2C	19_2_00000195DD591F2C
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000195DD5CDCE0	19_2_00000195DD5CDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000195DD5D44A8	19_2_00000195DD5D44A8
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000195DD5C2B2C	19_2_00000195DD5C2B2C
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000001D2702444A8	20_2_000001D2702444A8
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000001D27023DCE0	20_2_000001D27023DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000001D270232B2C	20_2_000001D270232B2C
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_000001160CB81F2C	21_2_000001160CB81F2C
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_000001160CB8D0E0	21_2_000001160CB8D0E0
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_000001160CB938A8	21_2_000001160CB938A8
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_000001160CBB2B2C	21_2_000001160CBB2B2C
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_000001160CBBDCE0	21_2_000001160CBBDCE0
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_000001160CBC44A8	21_2_000001160CBC44A8
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001428DCCD0E0	22_2_000001428DCCD0E0
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001428DCD38A8	22_2_000001428DCD38A8
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001428DCC1F2C	22_2_000001428DCC1F2C
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001428DCFDCE0	22_2_000001428DCFDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001428DD044A8	22_2_000001428DD044A8
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001428DCF2B2C	22_2_000001428DCF2B2C
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000257E10838A8	23_2_00000257E10838A8
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000257E107D0E0	23_2_00000257E107D0E0
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000257E1071F2C	23_2_00000257E1071F2C
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000257E10B44A8	23_2_00000257E10B44A8
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000257E10ADCE0	23_2_00000257E10ADCE0
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000257E10A2B2C	23_2_00000257E10A2B2C
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001F28C1E38A8	24_2_000001F28C1E38A8
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001F28C1DD0E0	24_2_000001F28C1DD0E0
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001F28C1D1F2C	24_2_000001F28C1D1F2C
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001F28C9444A8	24_2_000001F28C9444A8
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001F28C93DCE0	24_2_000001F28C93DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001F28C932B2C	24_2_000001F28C932B2C
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001CA97FD1F2C	25_2_000001CA97FD1F2C
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001CA97FDD0E0	25_2_000001CA97FDD0E0
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001CA97FE38A8	25_2_000001CA97FE38A8
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001CA98542B2C	25_2_000001CA98542B2C
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001CA9854DCE0	25_2_000001CA9854DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001CA985544A8	25_2_000001CA985544A8
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001D2652F38A8	26_2_000001D2652F38A8
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001D2652ED0E0	26_2_000001D2652ED0E0
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001D2652E1F2C	26_2_000001D2652E1F2C
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001D2653244A8	26_2_000001D2653244A8
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001D26531DCE0	26_2_000001D26531DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001D26532AEC2	26_2_000001D26532AEC2
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001D265312B2C	26_2_000001D265312B2C
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_00000254A27D2B2C	27_2_00000254A27D2B2C
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_00000254A27E44A8	27_2_00000254A27E44A8
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_00000254A27DDCE0	27_2_00000254A27DDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_0000024B87DDDCE0	28_2_0000024B87DDDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_0000024B87DE44A8	28_2_0000024B87DE44A8
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_0000024B87DD2B2C	28_2_0000024B87DD2B2C
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_00000205FB3CD0E0	29_2_00000205FB3CD0E0
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_00000205FB3D38A8	29_2_00000205FB3D38A8
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_00000205FB3C1F2C	29_2_00000205FB3C1F2C
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_00000205FD402B2C	29_2_00000205FD402B2C
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_00000205FD4144A8	29_2_00000205FD4144A8
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_00000205FD40DCE0	29_2_00000205FD40DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_000001A2056A2B2C	30_2_000001A2056A2B2C
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_000001A2056ADCE0	30_2_000001A2056ADCE0
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_000001A2056B44A8	30_2_000001A2056B44A8
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000018EC1F3D0E0	31_2_0000018EC1F3D0E0
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000018EC1F438A8	31_2_0000018EC1F438A8
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000018EC1F31F2C	31_2_0000018EC1F31F2C
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000018EC1F6DCE0	31_2_0000018EC1F6DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000018EC1F744A8	31_2_0000018EC1F744A8
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000018EC1F62B2C	31_2_0000018EC1F62B2C
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_0000025CE3BCD0E0	32_2_0000025CE3BCD0E0
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_0000025CE3BD38A8	32_2_0000025CE3BD38A8
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_0000025CE3BC1F2C	32_2_0000025CE3BC1F2C
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_0000025CE3E0DCE0	32_2_0000025CE3E0DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_0000025CE3E144A8	32_2_0000025CE3E144A8
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_0000025CE3E02B2C	32_2_0000025CE3E02B2C

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe

Code function: String function: 0000000140001394 appears 32 times

One or more processes crash

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4092 -s 1192

PE file does not import any functions

Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000000.2076809499.0000021E1852A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUkedopegude> vs SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Binary or memory string: OriginalFilenameUkedopegude> vs SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe	Section loaded: webengine4.dll	Jump to behavior
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Section loaded: ngcpopkeysrv.dll	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Section loaded: pcpksp.dll	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Section loaded: tbs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wlidsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gamestreamingext.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msauserext.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: tbs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptngc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptprov.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: elscore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: elstrans.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior

Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.29.dr	Binary string: >\Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sys
Source: Microsoft-Windows-SMBServer%4Operational.evtx.29.dr	Binary string: \Device\NetbiosSmb
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.29.dr	Binary string: 9\Device\HarddiskVolume3\Windows\System32\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.29.dr	Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exec
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.29.dr	Binary string: J\Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.sys
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.29.dr	Binary string: L\Device\HarddiskVolume3\Users\user\AppData\Local\Temp\JSAMSIProvider64.dll6\Device\HarddiskVolume3\Windows\System32\SIHClient.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.29.dr	Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeW
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.29.dr	Binary string: 1\Device\HarddiskVolume3\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.29.dr	Binary string: 9\Device\HarddiskVolume3\Windows\System32\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeX**
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.29.dr	Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exez
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.29.dr	Binary string: 4\Device\HarddiskVolume3\Windows\System32\spoolsv.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.29.dr	Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeV
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.29.dr	Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeU
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.29.dr	Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exep
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.29.dr	Binary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
Source: Microsoft-Windows-SmbClient%4Connectivity.evtx.29.dr	Binary string: :\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-SMBServer%4Operational.evtx.29.dr	Binary string: WIN-77KHDDR6TT1 WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.29.dr	Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.29.dr	Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeN
Source: Microsoft-Windows-SMBServer%4Operational.evtx.29.dr	Binary string: DESKTOP-AGET0TR WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-SMBServer%4Operational.evtx.29.dr	Binary string: user-PC WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}

Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E18669000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbF
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B98000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb

Source: classification engine

Classification label: mal100.expl.evad.winEXE@20/92@0/1

Source: C:\Windows\System32\dialer.exe

5_2_000000014000226C

Source: C:\Windows\System32\dialer.exe

Code function: 5_2_00000001400019C4 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString,

5_2_00000001400019C4

Source: C:\Windows\System32\dialer.exe

5_2_000000014000226C

Source: C:\Windows\System32\lsass.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-2246122658-3693405117-2476756634-1003\341f1c0f-774c-49e5-927c-8487e84c25df

Jump to behavior

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4092
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7388:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7304:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7236:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7380:120:WilError_03

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\423d201e-8e2e-4b77-b47d-3a4cfabc93e7

Jump to behavior

Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Virustotal: Detection: 16%
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	ReversingLabs: Detection: 13%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "GVKQGWZS"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "GVKQGWZS" binpath= "C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe" start= "auto"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4092 -s 1192
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "GVKQGWZS"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe
Source: C:\Windows\System32\lsass.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "GVKQGWZS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "GVKQGWZS" binpath= "C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe" start= "auto"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "GVKQGWZS"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

Static file information: File size 3249284 > 1048576

Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Windows\Fallkyriya.pdbpdbiya.pdb> source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\Fallkyriya\obj\Release\Fallkyriya.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 0000001C.00000002.3354678483.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150724621.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\symbols\exe\Fallkyriya.pdbX source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERA249.tmp.dmp.12.dr
Source:	Binary string: Fallkyriya.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B98000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000001C.00000002.3353855453.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150571107.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WERA249.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B98000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct4B1.tmpp.pdb source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: indoC:\Windows\Fallkyriya.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb* source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.Core.ni.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: pC:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.PDB source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: SecuriteInfo.com.Win64.RATX-gen.30029.14447.PDB source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 0000001C.00000002.3354678483.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150724621.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: assembly\GAC_MSC:\Users\user\Desktop\Fallkyriya.pdb3f@ source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Fallkyriya.pdbpdbE source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.Drawing.pdbMicrosoft.VisualBasic.ni.dll source: WERA249.tmp.dmp.12.dr
Source:	Binary string: mscorlib.ni.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E186D2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E18669000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb; source: WERA249.tmp.dmp.12.dr
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdba@V source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERA249.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Users\user\Desktop\Fallkyriya.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\Fallkyriya\obj\Release\Fallkyriya.pdbll source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E18669000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\Fallkyriya.pdb< source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.PDB source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\wct42C5.tmp.pdb source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.Xml.ni.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wct4B1.tmpp.pdb source: svchost.exe, 0000001C.00000000.2150724621.0000024B87641000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.3354678483.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERA249.tmp.dmp.12.dr
Source:	Binary string: +@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 0000001C.00000002.3353855453.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150571107.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 0000001C.00000002.3355598963.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150856271.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: WerFault.exe, 0000000C.00000003.2198769278.000002A66DC70000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000002.2200438015.000002A66DC70000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\Fallkyriya.pdbbg source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbF source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E18669000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: mscorlib.pdb0 source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B98000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 8C:\Windows\Fallkyriya.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERA249.tmp.dmp.12.dr
Source:	Binary string: ~1.PDB @ source: svchost.exe, 0000001C.00000002.3354678483.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150724621.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.Xml.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B98000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: aspnet_wp.pdb source: aspnet_wp.exe, 00000003.00000003.2096098027.000001F51DBF0000.00000004.00000001.00020000.00000000.sdmp, oapavmkbdsqp.exe, 00000011.00000002.2098760613.00007FF69A507000.00000004.00000001.01000000.0000000B.sdmp, oapavmkbdsqp.exe, 00000011.00000000.2098305062.00007FF69A507000.00000002.00000001.01000000.0000000B.sdmp, oapavmkbdsqp.exe.3.dr
Source:	Binary string: n.pdb? source: WerFault.exe, 0000000C.00000003.2198769278.000002A66DC70000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000002.2200438015.000002A66DC70000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbp source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbON.dll source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E18669000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct42C5.tmp.pdb source: svchost.exe, 0000001C.00000000.2150724621.0000024B87641000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.3354678483.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\Fallkyriya.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B31000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Fallkyriya.pdbp< source: WERA249.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 0000001C.00000002.3354678483.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150724621.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.Core.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: \??\C:\Windows\Fallkyriya.pdbf source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2216205044.0000021E32B50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorb source: svchost.exe, 0000001C.00000002.3353855453.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150571107.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: .pdbH source: WerFault.exe, 0000000C.00000003.2198769278.000002A66DC70000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000002.2200438015.000002A66DC70000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\Fallkyriya\obj\Release\Fallkyriya.pdb {a source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbY source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2208601791.0000021E186D2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 0000001C.00000002.3353855453.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.2150571107.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb@ source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.ni.pdb source: WERA249.tmp.dmp.12.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERA249.tmp.dmp.12.dr
Source:	Binary string: C:\Users.pdb source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2207857039.000000D0E7F63000.00000004.00000010.00020000.00000000.sdmp

Binary contains a suspicious time stamp

Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

Static PE information: 0xFC4D4CA1 [Wed Feb 20 04:18:41 2104 UTC]

Contains functionality to dynamically determine API calls

Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe

Code function: 17_2_00007FF69A504AC0 memset,GetVersionExW,memset,GetSystemDirectoryW,lstrlenW,lstrlenW,LoadLibraryW,GetProcAddress,FreeLibrary,

17_2_00007FF69A504AC0

PE file contains sections with non-standard names

Source: oapavmkbdsqp.exe.3.dr

Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Code function: 0_2_00007FF848F160E2 push ebx; ret	0_2_00007FF848F161DA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Code function: 0_2_00007FF848F1B0FA push eax; ret	0_2_00007FF848F1B111
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Code function: 0_2_00007FF848F18C52 push ebp; iretd	0_2_00007FF848F18C53
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Code function: 0_2_00007FF848F100BD pushad ; iretd	0_2_00007FF848F100C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Code function: 0_2_00007FF848F1A4DD push ebx; iretd	0_2_00007FF848F1A4EA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Code function: 0_2_00007FF848F16B40 push eax; iretd	0_2_00007FF848F16B41
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Code function: 0_2_00007FF84901026B push esp; retf 4810h	0_2_00007FF849010312
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	Code function: 3_2_0000000140001394 push qword ptr [000000014000A004h]; ret	3_2_0000000140001403
Source: C:\Windows\System32\winlogon.exe	Code function: 10_2_000001E85896ACDD push rcx; retf 003Fh	10_2_000001E85896ACDE
Source: C:\Windows\System32\winlogon.exe	Code function: 10_2_000001E85899C6DD push rcx; retf 003Fh	10_2_000001E85899C6DE
Source: C:\Windows\System32\lsass.exe	Code function: 18_2_00000140ADFDACDD push rcx; retf 003Fh	18_2_00000140ADFDACDE
Source: C:\Windows\System32\lsass.exe	Code function: 18_2_00000140AE87C6DD push rcx; retf 003Fh	18_2_00000140AE87C6DE
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000195DD5AACDD push rcx; retf 003Fh	19_2_00000195DD5AACDE
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000195DD5DC6DD push rcx; retf 003Fh	19_2_00000195DD5DC6DE
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000001D27024C6DD push rcx; retf 003Fh	20_2_000001D27024C6DE
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_000001160CB9ACDD push rcx; retf 003Fh	21_2_000001160CB9ACDE
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_000001160CBCC6DD push rcx; retf 003Fh	21_2_000001160CBCC6DE
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001428DCDACDD push rcx; retf 003Fh	22_2_000001428DCDACDE
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001428DD0C6DD push rcx; retf 003Fh	22_2_000001428DD0C6DE
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001428DD077DB push rsp; iretd	22_2_000001428DD077E1
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000257E108ACDD push rcx; retf 003Fh	23_2_00000257E108ACDE
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000257E10BC6DD push rcx; retf 003Fh	23_2_00000257E10BC6DE
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001F28C1EACDD push rcx; retf 003Fh	24_2_000001F28C1EACDE
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001F28C94C6DD push rcx; retf 003Fh	24_2_000001F28C94C6DE
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001CA97FEACDD push rcx; retf 003Fh	25_2_000001CA97FEACDE
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001CA9855C6DD push rcx; retf 003Fh	25_2_000001CA9855C6DE
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001D2652FACDD push rcx; retf 003Fh	26_2_000001D2652FACDE
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001D26532C6DD push rcx; retf 003Fh	26_2_000001D26532C6DE
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_00000254A27EC6DD push rcx; retf 003Fh	27_2_00000254A27EC6DE
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_0000024B87DEC6DD push rcx; retf 003Fh	28_2_0000024B87DEC6DE
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_00000205FB3DACDD push rcx; retf 003Fh	29_2_00000205FB3DACDE

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Windows\System32\lsass.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D			Jump to behavior
Source: C:\Windows\System32\lsass.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D			Jump to behavior

Installs new ROOT certificates

Source: C:\Windows\System32\lsass.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Windows\System32\lsass.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe

File created: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe

Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe

File created: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe

Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "GVKQGWZS"

Hooking and other Techniques for Hiding and Protection

Hooks files or directories query functions (used to hide files and directories)

Source: winlogon.exe

IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile

Hooks processes query functions (used to hide processes)

Source: winlogon.exe

IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation

Hooks registry keys query functions (used to hide registry keys)

Source: winlogon.exe

IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey

Modifies the prolog of user mode functions (user mode inline hooks)

Source: winlogon.exe

User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF

Stores large binary data to the registry

Source: C:\Windows\System32\lsass.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe PID: 4092, type: MEMORYSTR

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\dialer.exe

5_2_00000001400010C0

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Memory allocated: 21E18850000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Memory allocated: 21E32160000 memory reserve \| memory write watch			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\dialer.exe	Window / User API: threadDelayed 1755	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Window / User API: threadDelayed 565	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 5163	Jump to behavior
Source: C:\Windows\System32\winlogon.exe	Window / User API: threadDelayed 4836	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Window / User API: threadDelayed 9979	Jump to behavior
Source: C:\Windows\System32\dwm.exe	Window / User API: threadDelayed 9860	Jump to behavior

Found evasive API chain (may stop execution after accessing registry keys)

Source: C:\Windows\System32\svchost.exe

Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

Found evasive API chain checking for process token information

Source: C:\Windows\System32\dialer.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	API coverage: 2.8 %
Source: C:\Windows\System32\lsass.exe	API coverage: 8.2 %
Source: C:\Windows\System32\svchost.exe	API coverage: 5.1 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.5 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.8 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.8 %
Source: C:\Windows\System32\svchost.exe	API coverage: 5.1 %
Source: C:\Windows\System32\svchost.exe	API coverage: 5.1 %
Source: C:\Windows\System32\svchost.exe	API coverage: 7.1 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.3 %
Source: C:\Windows\System32\svchost.exe	API coverage: 4.8 %
Source: C:\Windows\System32\svchost.exe	API coverage: 7.2 %
Source: C:\Windows\System32\svchost.exe	API coverage: 6.1 %
Source: C:\Windows\System32\svchost.exe	API coverage: 7.2 %
Source: C:\Windows\System32\svchost.exe	API coverage: 5.1 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\dialer.exe TID: 7188	Thread sleep count: 1755 > 30	Jump to behavior
Source: C:\Windows\System32\dialer.exe TID: 7188	Thread sleep time: -175500s >= -30000s	Jump to behavior
Source: C:\Windows\System32\dialer.exe TID: 7288	Thread sleep count: 565 > 30	Jump to behavior
Source: C:\Windows\System32\dialer.exe TID: 7288	Thread sleep time: -56500s >= -30000s	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 7480	Thread sleep count: 5163 > 30	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 7480	Thread sleep time: -5163000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 7480	Thread sleep count: 4836 > 30	Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 7480	Thread sleep time: -4836000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 7488	Thread sleep count: 9979 > 30	Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 7488	Thread sleep time: -9979000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7540	Thread sleep count: 243 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7540	Thread sleep time: -243000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7412	Thread sleep count: 250 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7412	Thread sleep time: -250000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 7708	Thread sleep count: 9860 > 30	Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 7708	Thread sleep time: -9860000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7580	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8012	Thread sleep count: 249 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8012	Thread sleep time: -249000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7724	Thread sleep count: 253 > 30
Source: C:\Windows\System32\svchost.exe TID: 7724	Thread sleep time: -253000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7740	Thread sleep count: 254 > 30
Source: C:\Windows\System32\svchost.exe TID: 7740	Thread sleep time: -254000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7748	Thread sleep count: 253 > 30
Source: C:\Windows\System32\svchost.exe TID: 7748	Thread sleep time: -253000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7760	Thread sleep count: 253 > 30
Source: C:\Windows\System32\svchost.exe TID: 7760	Thread sleep time: -253000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7788	Thread sleep count: 196 > 30
Source: C:\Windows\System32\svchost.exe TID: 7788	Thread sleep time: -196000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7796	Thread sleep count: 252 > 30
Source: C:\Windows\System32\svchost.exe TID: 7796	Thread sleep time: -252000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7804	Thread sleep count: 228 > 30
Source: C:\Windows\System32\svchost.exe TID: 7804	Thread sleep time: -228000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7812	Thread sleep count: 243 > 30
Source: C:\Windows\System32\svchost.exe TID: 7812	Thread sleep time: -243000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7820	Thread sleep count: 244 > 30
Source: C:\Windows\System32\svchost.exe TID: 7820	Thread sleep time: -244000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7828	Thread sleep count: 253 > 30
Source: C:\Windows\System32\svchost.exe TID: 7828	Thread sleep time: -253000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7840	Thread sleep count: 241 > 30
Source: C:\Windows\System32\svchost.exe TID: 7840	Thread sleep time: -241000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7848	Thread sleep count: 251 > 30
Source: C:\Windows\System32\svchost.exe TID: 7848	Thread sleep time: -251000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7856	Thread sleep count: 250 > 30
Source: C:\Windows\System32\svchost.exe TID: 7856	Thread sleep time: -250000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7864	Thread sleep count: 254 > 30
Source: C:\Windows\System32\svchost.exe TID: 7864	Thread sleep time: -254000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7872	Thread sleep count: 254 > 30
Source: C:\Windows\System32\svchost.exe TID: 7872	Thread sleep time: -254000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7880	Thread sleep count: 244 > 30
Source: C:\Windows\System32\svchost.exe TID: 7880	Thread sleep time: -244000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7888	Thread sleep count: 249 > 30
Source: C:\Windows\System32\svchost.exe TID: 7888	Thread sleep time: -249000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7908	Thread sleep count: 247 > 30
Source: C:\Windows\System32\svchost.exe TID: 7908	Thread sleep time: -247000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7920	Thread sleep count: 249 > 30
Source: C:\Windows\System32\svchost.exe TID: 7920	Thread sleep time: -249000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7928	Thread sleep count: 244 > 30
Source: C:\Windows\System32\svchost.exe TID: 7928	Thread sleep time: -244000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7940	Thread sleep count: 250 > 30
Source: C:\Windows\System32\svchost.exe TID: 7940	Thread sleep time: -250000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\dialer.exe	Last function: Thread delayed
Source: C:\Windows\System32\dialer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed

Source: C:\Windows\System32\winlogon.exe	Code function: 10_2_000001E85898DCE0 FindFirstFileExW,	10_2_000001E85898DCE0
Source: C:\Windows\System32\lsass.exe	Code function: 18_2_00000140AE86DCE0 FindFirstFileExW,	18_2_00000140AE86DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000195DD5CDCE0 FindFirstFileExW,	19_2_00000195DD5CDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000001D27023DCE0 FindFirstFileExW,	20_2_000001D27023DCE0
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_000001160CBBDCE0 FindFirstFileExW,	21_2_000001160CBBDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001428DCFDCE0 FindFirstFileExW,	22_2_000001428DCFDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000257E10ADCE0 FindFirstFileExW,	23_2_00000257E10ADCE0
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001F28C93DCE0 FindFirstFileExW,	24_2_000001F28C93DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001CA9854DCE0 FindFirstFileExW,	25_2_000001CA9854DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001D26531DCE0 FindFirstFileExW,	26_2_000001D26531DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_00000254A27DDCE0 FindFirstFileExW,	27_2_00000254A27DDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_0000024B87DDDCE0 FindFirstFileExW,	28_2_0000024B87DDDCE0
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_00000205FD40DCE0 FindFirstFileExW,	29_2_00000205FD40DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_000001A2056ADCE0 FindFirstFileExW,	30_2_000001A2056ADCE0
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000018EC1F6DCE0 FindFirstFileExW,	31_2_0000018EC1F6DCE0
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_0000025CE3E0DCE0 FindFirstFileExW,	32_2_0000025CE3E0DCE0

Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe

Code function: 17_2_00007FF69A504E38 VirtualQuery,GetSystemInfo,

17_2_00007FF69A504E38

Source: C:\Windows\System32\svchost.exe

Thread delayed: delay time: 30000

Jump to behavior

Source: Amcache.hve.12.dr	Binary or memory string: VMware
Source: Microsoft-Windows-Partition%4Diagnostic.evtx.29.dr	Binary or memory string: VMwareVirtual disk2.06000c292b65879ff477a6af604113f58PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: svchost.exe, 0000001D.00000000.2155812268.00000205FAC2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.3363230253.00000205FAC2B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @Microsoft-Windows-Hyper-V-Hypervisor
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: svchost.exe, 0000001D.00000002.3363969303.00000205FAC43000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: (@vmci
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.29.dr	Binary or memory string: VMware SATA CD00
Source: Amcache.hve.12.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: svchost.exe, 0000001B.00000002.3359707590.00000254A202B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.29.dr	Binary or memory string: NECVMWarVMware SATA CD00
Source: svchost.exe, 00000014.00000002.3380399219.000001D270015000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NXTcpV6VMWare
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.29.dr	Binary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: WerFault.exe, 0000000C.00000003.2198697961.000002A6707A7000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.2196345877.000002A6707AA000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000002.2201679415.000002A6707AC000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3365424692.000001D26F2C8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3405102430.000001428B106000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000002.3401782467.000001428A88A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: dwm.exe, 00000015.00000002.3409607467.0000011607ED0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000=
Source: Amcache.hve.12.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: WerFault.exe, 0000000C.00000003.2198447758.000002A670BA6000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000002.2202009507.000002A670BA6000.00000004.00000001.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.2196103434.000002A670BA6000.00000004.00000020.00020000.00000000.sdmp, WerFault.exe, 0000000C.00000003.2195755219.000002A670BA6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.29.dr	Binary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.29.dr	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
Source: svchost.exe, 0000001D.00000003.3246807466.00000205FD225000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value)
Source: dwm.exe, 00000015.00000002.3409607467.0000011607ED0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: svchost.exe, 0000001D.00000002.3365803568.00000205FAC96000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMCI: Using capabilities (0x1c).
Source: Amcache.hve.12.dr	Binary or memory string: vmci.sys
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.29.dr	Binary or memory string: VMwareVirtual disk6000c292b65879ff477a6af604113f588
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.29.dr	Binary or memory string: nonicNECVMWarVMware SATA CD00
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.29.dr	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
Source: svchost.exe, 0000001D.00000000.2157231187.00000205FB933000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmcir:m
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.12.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.12.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.12.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: svchost.exe, 0000001D.00000003.3246807466.00000205FD225000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "Service" -or $pr.Name -eq "Description") -and ($pr.Value -match 'VEN_80EE' -or $pr.Value -match 'VEN_15AD' -or $pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMWare' -or $pr.Value -match '82801FB' -or $pr.Value -match '82441FX' -or $pr.Value -match '82371SB' -or $pr.Value -match 'OpenHCD'))
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.29.dr	Binary or memory string: VMware
Source: Amcache.hve.12.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.12.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.29.dr	Binary or memory string: nonicVMware Virtual disk 6000c292b65879ff477a6af604113f58
Source: svchost.exe, 0000001D.00000003.3246807466.00000205FD225000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter'))
Source: Amcache.hve.12.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.29.dr	Binary or memory string: VMware Virtual disk 2.0 6000c292b65879ff477a6af604113f58PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual USB Mouse
Source: lsass.exe, 00000012.00000000.2099478451.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicvssNT SERVICE
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.12.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.12.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.12.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.29.dr	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
Source: dwm.exe, 00000015.00000002.3409607467.0000011607ED0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: PointVMware&P
Source: Microsoft-Windows-WER-PayloadHealth%4Operational.evtx.29.dr	Binary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.29.dr	Binary or memory string: storahciNECVMWarVMware SATA CD00
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Amcache.hve.12.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.29.dr	Binary or memory string: LSI_SASVMware Virtual disk 6000c292b65879ff477a6af604113f58
Source: Amcache.hve.12.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: lsass.exe, 00000012.00000000.2099340676.00000140AD813000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000012.00000002.3357881957.00000140AD813000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000000.2102698505.00000195DD613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3358537577.00000195DD613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000016.00000000.2120894664.000001428A88A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.3358126937.000001F28C22B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.2137095808.000001F28C22B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000000.2138316510.000001CA9782A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.3350863396.000001CA9782A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000000.2142892913.00000254A2043000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.3360387148.00000254A2043000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: lsass.exe, 00000012.00000000.2099478451.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicshutdownNT SERVICE
Source: Amcache.hve.12.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.12.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe, 00000000.00000002.2210817554.0000021E1A4C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: svchost.exe, 00000016.00000002.3401782467.000001428A88A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @Hyper-V RAW%\System32\ci.dll,-101
Source: Amcache.hve.12.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: lsass.exe, 00000012.00000002.3377900817.00000140AE209000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.29.dr	Binary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 0000001D.00000003.3246807466.00000205FD225000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value)
Source: svchost.exe, 0000001D.00000003.3246807466.00000205FD225000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value)
Source: svchost.exe, 00000013.00000003.2651893903.00000195DD66A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 00000025.00000002.3353534450.000001B278E02000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: Amcache.hve.12.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: lsass.exe, 00000012.00000000.2099478451.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicheartbeatNT SERVICE
Source: svchost.exe, 00000014.00000002.3359539176.000001D26F227000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: svchost.exe, 0000001D.00000003.3246807466.00000205FD225000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware'))

Source: C:\Windows\System32\dialer.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\dialer.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\winlogon.exe

Code function: 10_2_000001E858987D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

10_2_000001E858987D90

Contains functionality to dynamically determine API calls

Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe

Code function: 17_2_00007FF69A504AC0 memset,GetVersionExW,memset,GetSystemDirectoryW,lstrlenW,lstrlenW,LoadLibraryW,GetProcAddress,FreeLibrary,

17_2_00007FF69A504AC0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\System32\dialer.exe

Code function: 5_2_00000001400017EC GetProcessHeap,RtlAllocateHeap,OpenProcess,TerminateProcess,CloseHandle,GetProcessHeap,HeapFree,

5_2_00000001400017EC

Enables debug privileges

Source: C:\Windows\System32\dialer.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	Code function: 3_2_0000000140001160 Sleep,Sleep,_amsg_exit,_initterm,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,exit,	3_2_0000000140001160
Source: C:\Windows\System32\winlogon.exe	Code function: 10_2_000001E858987D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_000001E858987D90
Source: C:\Windows\System32\winlogon.exe	Code function: 10_2_000001E85898D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_000001E85898D2A4
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe	Code function: 17_2_00007FF69A505D44 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_00007FF69A505D44
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe	Code function: 17_2_00007FF69A505AB4 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_00007FF69A505AB4
Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe	Code function: 17_2_00007FF69A505C50 SetUnhandledExceptionFilter,	17_2_00007FF69A505C50
Source: C:\Windows\System32\lsass.exe	Code function: 18_2_00000140AE867D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00000140AE867D90
Source: C:\Windows\System32\lsass.exe	Code function: 18_2_00000140AE86D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_00000140AE86D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000195DD5CD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_00000195DD5CD2A4
Source: C:\Windows\System32\svchost.exe	Code function: 19_2_00000195DD5C7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_00000195DD5C7D90
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000001D270237D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_000001D270237D90
Source: C:\Windows\System32\svchost.exe	Code function: 20_2_000001D27023D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	20_2_000001D27023D2A4
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_000001160CBBD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_000001160CBBD2A4
Source: C:\Windows\System32\dwm.exe	Code function: 21_2_000001160CBB7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_000001160CBB7D90
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001428DCFD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_000001428DCFD2A4
Source: C:\Windows\System32\svchost.exe	Code function: 22_2_000001428DCF7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_000001428DCF7D90
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000257E10AD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_00000257E10AD2A4
Source: C:\Windows\System32\svchost.exe	Code function: 23_2_00000257E10A7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_00000257E10A7D90
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001F28C937D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_000001F28C937D90
Source: C:\Windows\System32\svchost.exe	Code function: 24_2_000001F28C93D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_000001F28C93D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001CA9854D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_000001CA9854D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 25_2_000001CA98547D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_000001CA98547D90
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001D265317D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_000001D265317D90
Source: C:\Windows\System32\svchost.exe	Code function: 26_2_000001D26531D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	26_2_000001D26531D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_00000254A27DD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_00000254A27DD2A4
Source: C:\Windows\System32\svchost.exe	Code function: 27_2_00000254A27D7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	27_2_00000254A27D7D90
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_0000024B87DDD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	28_2_0000024B87DDD2A4
Source: C:\Windows\System32\svchost.exe	Code function: 28_2_0000024B87DD7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	28_2_0000024B87DD7D90
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_00000205FD40D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_00000205FD40D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 29_2_00000205FD407D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_00000205FD407D90
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_000001A2056AD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	30_2_000001A2056AD2A4
Source: C:\Windows\System32\svchost.exe	Code function: 30_2_000001A2056A7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	30_2_000001A2056A7D90
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000018EC1F67D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_0000018EC1F67D90
Source: C:\Windows\System32\svchost.exe	Code function: 31_2_0000018EC1F6D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_0000018EC1F6D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_0000025CE3E0D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	32_2_0000025CE3E0D2A4
Source: C:\Windows\System32\svchost.exe	Code function: 32_2_0000025CE3E07D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	32_2_0000025CE3E07D90

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140000000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\winlogon.exe base: 1E858950000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\lsass.exe base: 140ADFC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 195DD590000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dwm.exe base: 1160CB80000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 257E1070000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1F28C1D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1CA97FD0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D2652E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 254A27A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 24B87DA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 205FB3C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1A205670000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 18EC1F30000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 25CE3BC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 26238950000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2786E560000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1611FF70000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 27C0F350000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1B279570000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1E70A460000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 22D13120000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 22C8C580000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2825F1D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2AA5D9C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20BAEC90000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D2DC1B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1C782530000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\spoolsv.exe base: A60000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 24066EB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1A3FD9A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 181CEDB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 2A142790000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 195B6F30000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1428DCC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1B973730000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DBF9DA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D76CCC0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1A239D90000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 17CFA390000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 23FB7270000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1DF53B50000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 164E88A0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 25177B50000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 28D5D340000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\sihost.exe base: 24EB5E10000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 20859990000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1F153C20000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D241D40000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 16FADAD0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\ctfmon.exe base: 20E03070000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 15204DB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\explorer.exe base: 87B0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 175C5280000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dasHost.exe base: 1CE76AA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 22EF1B30000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1C7F34F0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 261DE4D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 22E74520000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 1B1A9D00000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 217AF8C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\smartscreen.exe base: 226D8930000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 13E5E930000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F844120000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 21197E30000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 223DC870000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 1B4698D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 28AF9060000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 27234C50000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 28543540000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\audiodg.exe base: 2B684340000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1BE58920000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 21300150000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 19842D80000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\conhost.exe base: 1C5C1BA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1067B150000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2855C050000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 22CCE8F0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\dllhost.exe base: 1E9FB500000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe base: 21E18980000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 286545D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1FAD81D0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1D270200000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 26907AA0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 26908540000 protect: page execute and read and write	Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\System32\dialer.exe

5_2_0000000140001C88

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\winlogon.exe EIP: 5895273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\lsass.exe EIP: ADFC273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: DD59273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\dwm.exe EIP: CB8273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: E107273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 8C1D273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 97FD273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 652E273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: A27A273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 87DA273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: FB3C273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 567273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: C1F3273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: E3BC273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 3895273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 6E56273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 1FF7273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: F35273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 7957273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: A46273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 1312273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 8C58273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5F1D273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 5D9C273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: AEC9273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DC1B273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8253273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A6273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 66EB273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FD9A273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: CEDB273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4279273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: B6F3273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 8DCC273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7373273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F9DA273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 6CCC273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 39D9273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FA39273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: B727273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 53B5273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: E88A273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 77B5273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5D34273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: B5E1273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5999273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 53C2273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 41D4273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: ADAD273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 307273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4DB273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 87B273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C528273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 76AA273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F1B3273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F34F273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DE4D273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7452273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: A9D0273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: AF8C273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D893273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5E93273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4412273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 97E3273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: DC87273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 698D273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: F906273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 34C5273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 4354273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 8434273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5892273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 15273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 42D8273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: C1BA273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7B15273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 5C05273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: CE8F273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: FB50273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 545D273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: D81D273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: C:\Windows\System32\svchost.exe EIP: 7020273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 7AA273C	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Thread created: unknown EIP: 854273C	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140000000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 1E858950000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 140ADFC0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 195DD590000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 1160CB80000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 257E1070000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F28C1D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CA97FD0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2652E0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 254A27A0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24B87DA0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 205FB3C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A205670000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 18EC1F30000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 25CE3BC0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26238950000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2786E560000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1611FF70000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 27C0F350000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B279570000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E70A460000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22D13120000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22C8C580000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2825F1D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AA5D9C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20BAEC90000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2DC1B0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C782530000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\spoolsv.exe base: A60000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24066EB0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A3FD9A0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 181CEDB0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A142790000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 195B6F30000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DCC0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1B973730000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DBF9DA0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D76CCC0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A239D90000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17CFA390000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FB7270000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DF53B50000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 164E88A0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 25177B50000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 28D5D340000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sihost.exe base: 24EB5E10000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20859990000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F153C20000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D241D40000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 16FADAD0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 20E03070000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 15204DB0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\explorer.exe base: 87B0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 175C5280000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dasHost.exe base: 1CE76AA0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22EF1B30000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1C7F34F0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 261DE4D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 22E74520000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1B1A9D00000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 217AF8C0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 226D8930000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 13E5E930000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F844120000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 21197E30000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 223DC870000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 1B4698D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 28AF9060000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 27234C50000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 28543540000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\audiodg.exe base: 2B684340000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1BE58920000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 21300150000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 19842D80000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1C5C1BA0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1067B150000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2855C050000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 22CCE8F0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1E9FB500000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe base: 21E18980000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 286545D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FAD81D0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D270200000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 26907AA0000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 26908540000 value starts with: 4D5A	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\dialer.exe

Memory written: PID: 1028 base: 87B0000 value: 4D

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Thread register set: target process: 3292			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	Thread register set: target process: 7184			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140000000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140001000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 140008000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 14000A000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 1402BD000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 1402BE000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 1402BF000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 1402C0000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe base: 44B80EB010	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\winlogon.exe base: 1E858950000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\lsass.exe base: 140ADFC0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 195DD590000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dwm.exe base: 1160CB80000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 257E1070000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F28C1D0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CA97FD0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2652E0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 254A27A0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24B87DA0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 205FB3C0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A205670000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 18EC1F30000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 25CE3BC0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 26238950000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2786E560000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1611FF70000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 27C0F350000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1B279570000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E70A460000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22D13120000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22C8C580000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2825F1D0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2AA5D9C0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20BAEC90000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D2DC1B0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1C782530000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\spoolsv.exe base: A60000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 24066EB0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A3FD9A0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 181CEDB0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 2A142790000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 195B6F30000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DCC0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 1B973730000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DBF9DA0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D76CCC0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1A239D90000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 17CFA390000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 23FB7270000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1DF53B50000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 164E88A0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 25177B50000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 28D5D340000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\sihost.exe base: 24EB5E10000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 20859990000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1F153C20000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D241D40000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 16FADAD0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ctfmon.exe base: 20E03070000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 15204DB0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\explorer.exe base: 87B0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 175C5280000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dasHost.exe base: 1CE76AA0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 22EF1B30000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1C7F34F0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 261DE4D0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 22E74520000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1B1A9D00000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 217AF8C0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\smartscreen.exe base: 226D8930000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 13E5E930000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1F844120000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 21197E30000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 223DC870000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 1B4698D0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 28AF9060000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 27234C50000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 28543540000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\audiodg.exe base: 2B684340000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1BE58920000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 21300150000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 19842D80000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\conhost.exe base: 1C5C1BA0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1067B150000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2855C050000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 22CCE8F0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\dllhost.exe base: 1E9FB500000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe base: 21E18980000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 286545D0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1FAD81D0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D270200000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 26907AA0000	Jump to behavior
Source: C:\Windows\System32\dialer.exe	Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 26908540000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D26FF60000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D26FF70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D26FF70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D26FF70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D26FF70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D26FF70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D26FF70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D26FF70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D26FF70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D26FF70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D26FF70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D26FF70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DC90000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DC90000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DC90000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DC90000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DC90000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DC90000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DC90000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DC90000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DC90000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DC90000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428DC90000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D26FFE0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D26FFF0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WerFault.exe base: 2A66FD70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WerFault.exe base: 2A66FD70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WerFault.exe base: 2A66FD70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WerFault.exe base: 2A66FD70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WerFault.exe base: 2A66FD70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WerFault.exe base: 2A66FD70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WerFault.exe base: 2A66FD70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WerFault.exe base: 2A66FD70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WerFault.exe base: 2A66FD70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WerFault.exe base: 2A66FD70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\WerFault.exe base: 2A66FD70000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1428D8A0000	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe			Jump to behavior

Source: C:\Windows\System32\dialer.exe

Code function: 5_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

5_2_0000000140001B54

Source: C:\Windows\System32\dialer.exe

Code function: 5_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

5_2_0000000140001B54

Source: winlogon.exe, 0000000A.00000000.2096011169.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000000A.00000002.3372730897.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000015.00000000.2110843949.0000011605EC1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: winlogon.exe, 0000000A.00000000.2096011169.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000000A.00000002.3372730897.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000015.00000000.2110843949.0000011605EC1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: winlogon.exe, 0000000A.00000000.2096011169.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000000A.00000002.3372730897.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000015.00000000.2110843949.0000011605EC1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: winlogon.exe, 0000000A.00000000.2096011169.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 0000000A.00000002.3372730897.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000015.00000000.2110843949.0000011605EC1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\winlogon.exe

Code function: 10_2_000001E8589636F0 cpuid

10_2_000001E8589636F0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\config.json VolumeInformation

Source: C:\Windows\System32\dialer.exe

Code function: 5_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,

5_2_0000000140001B54

Source: C:\Windows\System32\winlogon.exe

Code function: 10_2_000001E858987960 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

10_2_000001E858987960

Source: C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe

Code function: 17_2_00007FF69A504AC0 memset,GetVersionExW,memset,GetSystemDirectoryW,lstrlenW,lstrlenW,LoadLibraryW,GetProcAddress,FreeLibrary,

17_2_00007FF69A504AC0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.12.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: svchost.exe, 0000001D.00000000.2160181582.00000205FD1B1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001D.00000003.3246737581.00000205FD1B1000.00000004.00000001.00020000.00000000.sdmp, Amcache.hve.12.dr, Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.29.dr	Binary or memory string: MsMpEng.exe

ID:	1417067
Product:	CloudBasic
Start time:	15:20:06
Start date:	28.03.2024
Sample:	SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	f3e70f68d7e2f644bcd312f1333094e1
SHA1:	259dd00ddb8a08fb149c37254bfb865a74bb11b9
SHA256:	6607d552accc951f2cd068bb394200987d7d1e90e34f8cdab3afe6e3ccedee4e
Filetype:	Win64 Executable GUI (202006/5) 92.65%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_KFCX0FMBRAFYNWXV_e245bc7b6cda5b7b3b67f360ce383ad3b1e28a2_d98b0dd6_fa74e696-e846-4f5f-be01-802dccce831a\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	8994059D24022E40BB76041C69B2CF0D	DCB0A36661E1D9BA3182164ED0897A50F576859F	4C9361DC81457BD2D997FE0F127435F3C2348CC03764124AF0269BA8B9F43D1A
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA249.tmp.dmp	Mini DuMP crash report, 16 streams, Thu Mar 28 14:21:02 2024, 0x1205a4 type	8C19CED84B584B879EDD9572BF49154E	65CA6E9469B86A1E6573220F65147339C861E24A	A53BFE86597D328D4DCE8B3AC10DE5168C04BFA2735348FB7EB52C1AB0D6AEBE
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA3F0.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	44005BE2AED927D007808D4D496F2621	67A7C0C3D24803DD5D50A4D19F337FEB9B6F93E1	7A73998B180F5EC37B648499016078DE00968DCBF8931B36FFC2975E080F0D91
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA44F.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	DFF3E8792C16B081DFCC1FCD06F2C767	CDCD86CFD14FD94C13BBAD31E44766CB5EBA7CD5	DC3E26F72B5E7D739542AD5116260164B514FD73887E88458167FF87BF1BCF14
C:\ProgramData\jjfvbumjfczj\oapavmkbdsqp.exe	PE32+ executable (console) x86-64, for MS Windows	10072393B2116AF4483194F101923CA4	431B2746B95F7A3A782BE631BBE8351BDA9B7C5E	AFDF6F2793B96BAF7BEE4E5D28054EAA761BC70A8F65BC4E0AE7C4CEC3B54C2B
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	Microsoft Cabinet archive data, Windows 2000/XP setup, 4770 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression	1BFE591A4FE3D91B03CDF26EAACD8F89	719C37C320F518AC168C86723724891950911CEA	9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression	29F65BA8E88C063813CC50A4EA544E93	05A7040D5C127E68C25D81CC51271FFB8BEF3568	1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	data	DCD5144E3FA904CC6321D84860113673	8C22FFDE8BBA1F93E72A9C752CDB39382541F066	4051D504C39A50EB5EFF16633126E0705A9939F6507206EC11669A30D4BB0323
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	data	A6D48C076BC32B09B0F8DDAE338E9712	82E9AC2EC59D2946F9EDD6C6F7E6E2B23C3F2CBE	7449A9BC4B029FC06AA9E1C268AFA65CFB174865AE01E4FBC1E8A74A9A10F820
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	data	5443F33303EB9AC686A0CFD3F0E7D38C	8053FD00F61E30BB6B3CFFE9F27A00F073828C3B	3E9BB81D44F54B3E7B957C68CF00A8500B01DBC074B982C1712658D5DD16F431
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749	Microsoft Cabinet archive data, Windows 2000/XP setup, 7796 bytes, 1 file, at 0x2c +A "pinrules.stl", number 1, 1 datablock, 0x1 compression	FB60E1AFE48764E6BF78719C07813D32	A1DC74EF8495C9A1489DD937659B5C2875027E16	EBF3E7290B8FD1E5509CAA69335251F22B61BAF3F9FF87B4E8544F3C1FEA279D
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	data	481E7A64C3786F6F67F19713E7BCC1E4	0B9D0043340A63E083402EEE642581AE16EDA7A3	C1D0635AF168C33EC922163B6E5DF1FF6A87A2B597AC8D85B0DB2E5C898722FD
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	5523B5A94C32B2B69D3476CECAF0C644	448B1E54A5ADAF1CB16E662E44CC1A75302CDB2E	D79B70FB7BB68E7D4A570A1DE47B36FFF8855A5FEE8ABAA6C7EF1F16A8AC78C1
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	data	3E194C10071201D96946DBA100E1C5D8	4FBFD6CF7829BB399F9D68C06287BF8102C41473	6D0562BB15ACA51F60800AA8F2A2183097C6DE0EABD76EC31B5603340A59177A
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	data	B6D31544C7399B1B08F284EE4BE4290E	37A7B8DE1A4D501A130FF273D9C148AC07B75855	7FB0BD843370D25F8873E1F78C8629EC7F8258297B2D76805B96D4A958D04496
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	data	906B281DDF3C1FAC3BAAB04DBBAD280F	13F0BF0DE3A81411DB68522CAF3D8F73C6E80F5D	8DE06A750594BAF804DB0E2B306A4C933ED5A6F38D6DE1CD76FCD27F9FC9D509
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	data	6804C6D04B414413D69B283EC659A337	88E01DA34B1E82E2A3CADB6B7581E63D60BB435B	B724F4974A945EA89E535CCAAAE52EF83D762553BFB5CCB3142A259FD0E811D3
C:\Users\user\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	data	05E679AF9C5C3819FB72D165DD2EFB9C	FD44B99D58568D8886E9DE50453BF03E9EA6C865	E9B256D2A3E925F5533FC03846FA02E4C36954201A31E7ACD89FE4B658F861E9
C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	data	945EF5E5DE4AD8E3594675C66B550DB0	2014C97EDB03A692CA943E6342F50BDEA46E143B	5F3D5D151AA215FCE8F515CAF56C2742D1AFC1F524FD3024B4B34574FB5B4603
C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	F860AC413ACC9AC1C3E1C0F474B91D18	75E511621444254BE7A4A765AAAB5983F54CD24E	907F08B19851BCC6189AA6DC2A6252A6FDF2073AFA7579EC068863AF73AB9324
C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118A	data	06BE7DB89DD43D0001B02F8329AF1FD9	FDFE65B4B92EFE3C54AD4F99508710117F621FE1	37017C981E422984ADC76F9A3B3779D33A4341188BB4FADD7C426DBF4D9D2E7D
C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	data	3740B16646FD2276C3312517EA6F7093	986A2B75A278DA095BD221269F9055858E8B0621	9B5D7785BDCFC305EB8509CEBB8F067AC938F64B6D3A39D56BD9E67081E98105
C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-2246122658-3693405117-2476756634-1003\341f1c0f-774c-49e5-927c-8487e84c25df	data	7469C214AA51CBE53CEAB385DA9B1A5F	CC9C12F5B78637A50CCC445E9B9415E6FCC495A6	B2F38EC003BE1272C0AED64A091543DD9747E83A5E2805FD514AD1AF31E7CE12
C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-2246122658-3693405117-2476756634-1003\Preferred	data	126DB468447A45A5E4ECE5A6BA64C2B5	60E52F9BBDA9147D6544C8765EE286D02C63F46E	84C5BE5486291A1B1A445955A70C5B4FE2EBA9D7846283C534EF1D63573F28F7
C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred	data	57EDFB68D1AB33CF0DE091304EB31E2E	E67C38D2BE689EF6C363695E7BCFF4D365585E60	C3646C25FDDBAB674A08CD011F18C8B8AB8E4E495500FFA58D4089789D645F83
C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\ebb8ddf7-299c-407a-b421-a800626bb459	data	602A98E8007FB76EE9F4D05F7DC0129E	D89480EE7F17BC1223FD2873EFB4155D128872FB	F88AD03B089A166CD1D4124A8E896F9D5E8DBCE7339236AC95C503986ECF631A
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	data	67E8AECC7F09715A586EE9C9115E00FF	8ACD87A3C761A1FE64148DD0F7ED72F8AD1D3D7E	F3E41F8C447D3D2B97710D260DD1276AE72C268CAC32DFD238984F5D462F50E3
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	EDF441454CAE718118D8CBA27AD56C1F	C1B2C2E810E4F0D3B0B7EEF2518EEE86726FE314	1CB5B72FDABD765C82C7CE954C7AABD477DEDC6F5F0DD2046386AC8132168B63
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868	data	B3B0CFA24CD1D3397D7FD92EB10D38A4	A0FEC1EF21991720CFA65C74C96EA9AAB19880D4	9F41B65F46D3C80D4E59CE6DABC18AD00B11E37A7CA3DC2A566E7C6DBC3A86C0
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	data	0BAA31E9E2A24B0429F4D4BA63C75D84	2BD84CB135D9134E08E058E8110DA8949701CD1A	540E4E2268115B6CCAA1BD1973FDDC7B0CDAE10959FB4FF9BEF7FF94900711B9
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	data	E8454C79C888A9405BC9DC92A206C6A4	49B964322DB1DFD36407119CDADC40B2EA30E4F9	B501FF495FE7FB25BD49DB3AB1BB09CD076BC68877D1E779B895402E8C09EBEC
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	data	F9637CFAB9578734FBC7B4CFB2E6F361	9E22B1D68E4B9FF1AC6D2B071AA250A1E1C4D014	1F1F62E5FDAE6C6C8282C55B6AF3B36F9C1DA58C7F7052F5E28ACFBDE20B28CD
C:\Windows\System32\winevt\Logs\Application.evtx	data	C50155077A20313C3CDEBE097A00BAD2	BB34D46BC892A5D70F5460BD5CF93F447A7C136B	4C2DFCC9D9003FACD47079078C3C4ED640FAF9C10AE834B21E9CC462CE400C45
C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx	data	51F71E8EF0345C3B2858BDC047373423	42C64A86F9873F9BBF73D7551CB62F4EFFF17402	39C98D15D742B7B80A16C6223B61A6EE3D103E43BCE34AB976F5535BC844567E
C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx	data	D352D15D6A29EC818FCCB7D131D827B4	E83944244EF8A5B84B6A8DF486A5A5801937ED51	B57978A9C8C8B8D8DF2EC5AAE442504C7327951A2602CD8322378EB9E6AC0D57
C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx	data	F1423F132ABB70C91B06CDD638F69A2D	8BE5388CACED590E308298CB44A6A31F1BF2721E	C20C2789F9DECE0CDBCC9616BABD02AD462E2E9138DAA5A03E257D3629C213A0
C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx	data	34B35A683C68A73A1BF569F68E54DB0D	FC5C102CFE726B21653E768ADA9A275FADA90550	82203A8B2AF5D6CF60E99ADA87DF17CED01A954F995B6649E26E1C08FB97BEC9
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx	MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 4, DIRTY	0C9B0C02A8E179434CD208E5AF5BC8E1	3823C17F804C676D53DC1AF656AEF4514A446305	B113F05B3BBAA8445FBF12A2791D132D0B5E6F39E8138CDC3B6E4705EC675921
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx	data	8B93FFD74BA69D506BC1A7CA93434764	8275F283E3EB6143F33D1B97C889D167963A9B41	9D1B6EA5CF8330CB2CE526B709669FCF7BD756EE43E30230B98F3FBE6B80D227
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx	MS Windows Vista Event Log, 5 chunks (no. 4 in use), next record no. 397, DIRTY	6227D6A455A61CB06A7A03637F7607FE	A3C3267A15D0E43B114993C1697A4FA58A86A80E	2C1CDC8EFEC609CC29FCE6E94443E428BEFED681EBEF24C6A0276AEC295A1C62
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx	data	F2DD657C9A1CB9C4DE1DF89C0F45E5F1	A9B48C4B4F004BE9F9641753D4BAEADD209BC4EF	7601EB81F47B9DFC18BAD436F6657EBFD07782F6C8BC681A76DEFC69C6104613
C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx	data	5C85B6349EFC9802F7CF7F4D2FF82F04	4D163DAB6EDFADF94C295C0746F65E9DF08CE190	F0600FDE7B72FF3D3D33B3CE9BB90A6508A1B2F5F64819E85BFA48AE925DD428
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx	data	B58E72BD85CF367466349FADCF9A5818	0F561886DC1FC8FBCA5DC8CA10DB1A7C34CEE419	D6F533FC5273A6E86F4295EE8935D94CC1A1CCD12A0DCA9C6C9723F852772861
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx	data	9BCAC131A0E1046D07A1126509C0163B	668C02B1F04155FC7C86DA0FD801AB8512D8E647	A069A8295BD4D219C7E117748EC00A8CE85C3AD2F84991B77311E865DA012C90
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx	data	AF05C415D2DBE32714927DEF4208C5F6	A8B54994EC1EC5CE9BA5DA0615E99999DA1E74DA	496CF70A3736CEF0486F605A45E30C1ED71BDA4C7E137436F7B2CAABC07BF717
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx	data	F8A6E4DB172FED314FB36EA4F877E01D	E967F6C789226F9085802576EF8D31513F4EB8CD	80CF07BE5968D041A28E8231655C840158FC47DC1540A19EBC500EA5CBFA8AA5
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx	data	396196233DA144BC9B1AC36AEBA3FA42	B5800B9F323B93BCBCFA9D2F727A9975CACD6337	4A268F50173502D662F85D13944A1249B58912BCD3BC9FA6B419CB1E561D2969
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx	data	8EC9027553BC6E0AA226CBE3AA9AEC1A	3E261D8E27902EB9EEF0333F5716E2298FE8FA55	A2261A47F8E8D6F1E200968E7080400155424C4DD140F281C48FEACD0017A010
C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx	data	A8DA15633D80829F32A3E0CD50CFD995	CD4DD833ED62AD6DEE8A4B109A0356075CCDB8EC	30BF357C2ADCC24F1A1A48EA85302CB33B8993899685FFFFDC13CD2E4A15C05F
C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx	data	F7D62B056AB8FE4B83092B05915DD92A	7310B87EC20943EE7854A907C4F807D04D148ABF	337F9831E9B639FC1523A9EBBDBA186A13D82AF929262CCA31F9FE0677B18E4A
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx	data	4572B4ADCED1EA2335588876D2A4AF20	0F16E0FF89200599B7DB688563F2E6B656ECFD4B	68B18DB8939820C2E1E49267F4DA6D5F9EEBECF40A43BE0DEE1643D96CD5FE4C
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx	data	64B9990B5E7F3874310C63A28FF2269B	B1A4325EECAFB72D9AFF23F1759F866757699E9E	3C9770DF816491A1C40167F1C53A46FB17122962B646A72F604ED3044A981DCC
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx	data	59A9F7EF42800364F6BF938C549BBD94	43FAC818EB3960E73963CFD78F1AE4DE6A3799D6	E2BD020B97A6FB59EF57126B4DC72C56E7F457A06C7F911243C77BC0C1ACC206
C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx	MS Windows Vista Event Log, 12 chunks (no. 11 in use), next record no. 384, DIRTY	2095470F09B5AE833CA99C870C19B73E	AF33E998F433343CD96878807E2B731337A348D5	F0599ACB68C02FCD677B421056DABE81164DA3BC015A7B1212D3642A6280D0CD
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx	data	F3F76FCFEA8151604EA805CB80B1FF45	53062346A40583E0ED706493B387818CF85A608A	46BE32A18F777427FCB76E515EDD8612F22823F8D5F9C75FAF64DFBC9D810BC0
C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx	data	2418B580C396BF3D2B2E78EF78F65991	5AA4D8E6E8EC06232294A57762DCF70B6A4AEC46	4FA9363ED99CF66AA2B887DB72C99F7E21B364AAFE0C169B5CEACEF72E971557
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx	data	7B0D311770C1E5D2147B0B5CB7FF58B0	FB84DFE8C179D8AC76D7234589D7617B711EBED9	97BCE7AFDCCC715920764466F4568191DB662EA6CE116EC5158216E0F89B6322
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx	data	697F5D7E812BBBA5F48BAEEE79161558	2BB9620AEAFE781DAD1250C78AE760F530C04FEF	1F9630EFD18553522D80986F123499E9172D5D8949BD43F82D0964ED671CE516
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx	data	8B81799FB23EDB0DFBBE63CB0A6D0091	08F10769E5AC65A808F3229113875C18E68F02A2	199F3107FA0F478BECC0D255CA70F74B63F048F6B43015C4BCEFC7DB07358609
C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx	data	EE8065620F186CA2209B9EDDA6B288A9	3E219349F046F6285976FA614780A6E00F1CB69F	1DD41155BB8543E28B976264DFAE6428C0E48AD433466FF018EF7DF60256FED2
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx	data	DB0D7D192D45E88155DA386A4CFAA7BC	0CA51DB6F3145F47A7DEE55DD59804DDC20788FF	4D675E0BB5F2F8FB820C9A7E60290AA18EB63DB48D85C343D67B7D1036CAF535
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx	data	600AD993B2B79D5C3FC7D756ADD2C03B	8B6CB6462C0F3E524E6F81719796C58F03220BCC	60C701931BF6F6E2C6736E4040C348B5193A881713A940739E70F8BADD62D3AE
C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx	data	CBF5E5B9F2994F33BE03BF0A826A629E	BFF85BF98CE5D092C06B3A7D366A077B5736E934	B6B321D43FBF2CEE1D19A0EB4E3AA5134660D844E2DED9871E98A58DE11461E3
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	data	F3DBD797D15E339DFCCA7B9083C325D3	435E03ECCEC7B7C09949E0F1E26A86866FB45267	0A5A6DA269E3D52E290C54C57DF778B7A62BB5013D46FF0DB772E019FD22019C
C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx	data	C7807651248E908ECCF27697EBB71AF0	4FE175151F778EF674F74D25145CCCF62C52F2C8	A9D4FFC731E3D8287A25FFE350D5142FE1E9CD5D377F0BD7D29BB827C2F12658
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx	data	B1F20410E64B0CD42CE4FCBF7AFC9018	4EE19EB81E1C99FDC1C7BA4E87F091AB124FE250	7AE6BA887BEF8232508D1660717AA893FE68C75D3E4B2D48668AC1E4CD3C0461
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx	data	53F4AD6E54C6FEEA32D9287450ABCD7E	ED3FF5B026205B143C41F23816FA55B534F69DDC	618EE82F13954FE43C4F4281C55CDCE627388DEB042CE845B4D9FA69ACDE14AD
C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx	data	50465D28597F69AA4BA1836894D19750	CC55004E17EAAF1672D0BDAE3A746C40F6AF7593	376CBE44BE97D96C93CAB0B83E5480DF2D3EA3CE0169E199BBAC9D7650F4AB93
C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx	data	104AF6C87B1FA1C965BB2D3CF70EDC8F	91B208CE7ACC6EDAD1ADC8C5ECBB90000E00CEA2	6DB30804B563EE808F78EEC69D3A85FF7F3F0FE551306B5924530C2C0EC2738C
C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx	data	EBB9255F7BBA5C52CE625D69FE52F60A	20F226B11EF3A69F56A13A5BF7530E199BFDE310	5AB28568919B051FA95E534049B8BA9E606EEF6EAB53EB0ADB71545C0ED2A380
C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx	data	50EF6DB57587CF27291B2DED1AD3C542	ECF5C56F998FCA95BE4BA119DC5E241C693DB891	14AD1DF267604F097745CC1A5C2DC6EDFEABF7E89A69A194B5433363A847F530
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx	data	1A84D5BFFC6A51A8E813CA9870D46851	62201D49F347A7BEEA7D58DCB45D173ADBD53887	CBF067DCF2548398B87EB882B7A1F26EC7989DBB4D105C4495020D63E9B5E0D8
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx	data	70F943A767EE17A83B03D620404602D6	26A2A2C8690D3F47D6192DDC29079CA4DE7507A6	AAE4D860D5B31157D69935C9A68A8958EF96D9EBB7AB346B8F750E7FD339FBE5
C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx	data	9236B0363C2E488481D99C2A3B97F664	7DF4CAC91226C2E2E36DB78D931D4D8386177406	968CA40848BDBDDB24126CF3BA1EFE51973835B62A841A13ABBC3F3F76E2AAEC
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx	data	2B2777D1B857A1D8B411B047C6F0F5E5	2BDD843896EFB6E7A7FF553CA822564B304470CE	D83BC75F79399FC52548EBA4557F5EBC447A54BDB3986038EE113F239AD42803
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx	data	9D9C182984FF3C8DAFD9D7D27F9461F0	72E2D06B61F085737906AD835D09009CFD047203	C3D5C4AD8C13B39C1EC967B6A9DFCA4ACC94E48C00D1BFAA3BCC5D7B6B134EC2
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx	data	E6E3FB500DC0819A3A69308F29DAFC35	5AB04C8075E423B3082AF0AE0A962B10C3FB30F1	1AA075FD6AC80224468F3AF8431C97C4DAC5A93A553DAAAB395597459F566FA8
C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx	data	C0228093C6D68E6BF2A2919C4757E19E	4C30BEAA7AB56231126956EC83C6B9159B7C7809	214406B4B4C04186B2955537F29AC633824792BABF9EE5051B0857CCF9AE2763
C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx	data	781B75A3C8820522AAC441F1D093A732	46D5B8354E787C942AE21E4DBA5558FD4279E8ED	4EF20E660B92E8F2854906C1859B650C130727CF1C8ED113FFEEAC974F445EED
C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx	data	727E32931085339B0D59890FD3759197	1281993447169E4AF0F4EEDE4F70524D766189F6	66D8CFCF522ABCC5813640D9315FB0FC1497236FEBAE41E1095547E137759BFD
C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx	data	F2254833A2ECFC2BE8343C689060E95C	4E4CE2B2AE58A6A2EFB7D563F17DCBA59A83D2A7	A8B52451086D3042E2353D49E565422A083018D22C89F8447889BA77312DEA65
C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx	data	EFAB9CB2241340892CAF25215B175900	379AAFFC0E9465FBC553A8CD7587F45D07274D24	852B282863F4AD8B40A1CB715C9F3EA8B243472EF1D9E95035408AB586EB49BC
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WER-PayloadHealth%4Operational.evtx	MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 10, DIRTY	5D2F2C5F66848D7660F9074E070CD674	BADB7807417A7F82CC15A8F6CC786A2E2C1B5700	CB186AC65DC5A90C86BC49023E2BDEAA342005E4DF23D55604BC9A0325D6933E
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx	data	3F71E3631F6B19E580154EB7CB063462	138DF2297CB632E5F6113F778DE42FE4A06805B4	EFD89FC9758D3B895C39032B7DE2978099B91D00190E15F051C6DE865BB7B6F6
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx	data	A58CC6DEC3C876BEEC16907FC49E19BA	C2617D099C46BD902D85BD8FE90FC6F34995BA5A	BE9A153D8CFAB9F25D94444C14641599D6F8C868DB9675D3FA330E0C7C0110A6
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx	data	14652E4148A13AE019B3CF2CC20B5812	0D6C33AC1CF9CF3EDB3B4632A0943BC7ED7521FC	3946831B472B0248BBBB225A2253A26A693E9155C3FFF0D8CE29897E07573134
C:\Windows\System32\winevt\Logs\Microsoft-Windows-WinRM%4Operational.evtx	MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 101, DIRTY	F053137311711181B482271C06C93542	93629D5B7D185362400510C83F8372481502B032	570F2032190CBE47A345D7FEE5DF6FE0D3697B81E53BF251EB77131E4E42B58F
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx	data	0BA7D36A9CD54585954A06957D154D60	DDB3EE5FDF283469183D9EE9AF0A335AA9CE13B9	9A7FFBE65A63167E8EA0905701E5445003652A656E1D64944157EC75D8BE8F0C
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx	data	838CCFDA7EEB847C3F96507592B3480B	1D1C0CA6AFCCC861AFB6B7D2BD500657CC139AC7	2E474ECD1D96758EA0BD52D3C594998DFC30DCB83270638B107B41B81FB51339
C:\Windows\System32\winevt\Logs\Security.evtx	data	1005C85C21E276C3A256CAA1DE8E51D1	F9778231286E3035347DA1E8AADEB1607AE9A191	92E524779818C0813722D6453901DBD4B6E815115CC8A0E6143A401AB8361A9C
C:\Windows\System32\winevt\Logs\System.evtx	data	8447976AC816A33284D15C60460700D2	EB8B4E8731906FFF775F1F57EE21AC4CD0C103B4	39A093AB0493C55D1F0532B4B606156EF3E13DD0C52B9715FE5B5F35283208E7
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	5FCF2828D83D2C54D7B4A7946C5D2E8D	29F0569A897885C429959E8A6153C2999E261840	7CC509FE1C3B0678381F736B10358A216B981EB11CBFEFA4F5CBF5DE0EC10DE6

Windows Analysis Report
SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Windows Analysis Report SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Windows Analysis Report
SecuriteInfo.com.Win64.RATX-gen.30029.14447.exe