Windows Analysis Report
UGS - CRO REQ - KHIDUBAI (OPL-841724).scr

Overview

General Information

Sample name:	UGS - CRO REQ - KHIDUBAI (OPL-841724).scr
Analysis ID:	1428798
MD5:	f99dc4d2e045ae0bbc169fff12a5c6d5
SHA1:	c3a4a89907201776e9ad38fc63573522e0d233f1
SHA256:	e4726c4cad6dd043e87289a51733a6627b2abf1ae88b70458c9674ef4669540c
Infos:

Detection

PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected PureLog Stealer

Yara detected zgRAT

.NET source code contains potential unpacker

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Installs new ROOT certificates

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates processes with suspicious names

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Stores large binary data to the registry

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Kbojz.exe

Avira: detection malicious, Label: HEUR/AGEN.1304549

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Kbojz.exe

ReversingLabs: Detection: 63%

Multi AV Scanner detection for submitted file

Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr

ReversingLabs: Detection: 63%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Kbojz.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr

Joe Sandbox ML: detected

Uses 32bit PE files

Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.22:49175 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.22:49178 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.22:49179 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.41.11:443 -> 192.168.2.22:49184 version: TLS 1.2

Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: f2f5b5c0-4645-40a2-a057-694e3cbb601b<Module>costura.costura.dll.compressedcostura.dotnetzip.dll.compressedcostura.dotnetzip.pdb.compressedcostura.protobuf-net.dll.compressedDglpobuyba.g.resourcesaR3nbf8dQp2feLmk31.lSfgApatkdxsVcGcrktoFd.resources source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.424766179.0000000003925000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: costura.dotnetzip.pdb.compressed source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.424766179.0000000003925000.00000004.00000800.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.420675930.0000000002251000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000005.00000002.471133740.0000000002362000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000006.00000002.478817595.0000000002271000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356481377.00000000023AB000.00000004.00000800.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.359148679.00000000051B0000.00000004.08000000.00040000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356858296.0000000003259000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000003.00000002.407176401.0000000002384000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000004.00000002.420766544.0000000002577000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000004.00000002.423329091.0000000003990000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000004.00000002.423329091.000000000386F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: p costura.dotnetzip.pdb.compressedt- source: Kbojz.exe, 00000005.00000002.471133740.0000000002362000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: p costura.dotnetzip.pdb.compressed source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.420675930.0000000002251000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000005.00000002.471133740.0000000002362000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000006.00000002.478817595.0000000002271000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356481377.00000000023AB000.00000004.00000800.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.359148679.00000000051B0000.00000004.08000000.00040000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356858296.0000000003259000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000003.00000002.407176401.0000000002384000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000004.00000002.420766544.0000000002577000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000004.00000002.423329091.0000000003990000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000004.00000002.423329091.000000000386F000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Dglpobuyba.pdb source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.424766179.0000000003925000.00000004.00000800.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.424766179.0000000003830000.00000004.00000800.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.431703132.00000000046B0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: p costura.dotnetzip.pdb.compressedlB source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.420675930.0000000002251000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000006.00000002.478817595.0000000002271000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.359012875.0000000004190000.00000004.08000000.00040000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356858296.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356481377.0000000002436000.00000004.00000800.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.424766179.0000000003925000.00000004.00000800.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.424766179.0000000003BE0000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000003.00000002.407176401.00000000025FD000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000003.00000002.410066207.0000000003301000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000004.00000002.420766544.0000000002577000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000005.00000002.471133740.0000000002362000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.434522188.0000000006180000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.359012875.0000000004190000.00000004.08000000.00040000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356858296.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356481377.0000000002436000.00000004.00000800.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.424766179.0000000003925000.00000004.00000800.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.424766179.0000000003BE0000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000003.00000002.407176401.00000000025FD000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000003.00000002.410066207.0000000003301000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000004.00000002.420766544.0000000002577000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000005.00000002.471133740.0000000002362000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: p@costura.dotnetzip.pdb.compressed source: Kbojz.exe, 00000005.00000002.471133740.0000000002362000.00000004.00000800.00020000.00000000.sdmp

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 4x nop then jmp 01EF7B2Bh	0_2_01EF7928
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 4x nop then jmp 01EF7B2Bh	0_2_01EF7919
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 4x nop then jmp 01EF8FEFh	0_2_01EF9085
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 4x nop then jmp 01EF8FEFh	0_2_01EF8F88
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_01F09970
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_01F09978
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_04C8D900
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4x nop then jmp 020F8FEFh	3_2_020F9085
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4x nop then jmp 020F7B2Bh	3_2_020F7919
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4x nop then jmp 020F7B2Bh	3_2_020F7928
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4x nop then jmp 020F8FEFh	3_2_020F8F88
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	3_2_021A917A
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	3_2_021A9180
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	3_2_052CD900
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4x nop then jmp 02018FEFh	4_2_02019085
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4x nop then jmp 02017B2Bh	4_2_02017919
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4x nop then jmp 02017B2Bh	4_2_02017928
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4x nop then jmp 02018FEFh	4_2_02018F88
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	4_2_0203917B
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	4_2_02039180
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	4_2_0540D900

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49174 -> 80.85.152.161:2442

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /download?resid=26943FEBC022618F%21479&authkey=!APRD0RAPKJuy4WE HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?resid=26943FEBC022618F%21479&authkey=!APRD0RAPKJuy4WE HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?resid=26943FEBC022618F%21479&authkey=!APRD0RAPKJuy4WE HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?resid=26943FEBC022618F%21479&authkey=!APRD0RAPKJuy4WE HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?resid=26943FEBC022618F%21481&authkey=!AJjxgOKv6NEIF-A HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?resid=26943FEBC022618F%21481&authkey=!AJjxgOKv6NEIF-A HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 150.171.41.11 150.171.41.11
Source: Joe Sandbox View	IP Address: 13.107.137.11 13.107.137.11

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: Joe Sandbox View	JA3 fingerprint: 36f7277af969a6947a61ae0b815907a1

Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161
Source: unknown	TCP traffic detected without corresponding DNS query: 80.85.152.161

Source: global traffic	HTTP traffic detected: GET /download?resid=26943FEBC022618F%21479&authkey=!APRD0RAPKJuy4WE HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?resid=26943FEBC022618F%21479&authkey=!APRD0RAPKJuy4WE HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?resid=26943FEBC022618F%21479&authkey=!APRD0RAPKJuy4WE HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?resid=26943FEBC022618F%21479&authkey=!APRD0RAPKJuy4WE HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?resid=26943FEBC022618F%21481&authkey=!AJjxgOKv6NEIF-A HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?resid=26943FEBC022618F%21481&authkey=!AJjxgOKv6NEIF-A HTTP/1.1Host: onedrive.live.comConnection: Keep-Alive

Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356276020.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.434205628.00000000060E2000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356276020.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.434205628.00000000060E2000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000003.00000002.406017200.000000000051B000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000004.00000002.419345105.0000000000568000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000006.00000002.485746581.00000000056CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356276020.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.434205628.00000000060CA000.00000004.00000020.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.434205628.00000000060E2000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000003.00000002.406017200.000000000051B000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000004.00000002.419345105.0000000000568000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000006.00000002.485746581.00000000056CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356276020.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.434205628.00000000060E2000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000003.00000002.406017200.000000000051B000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000004.00000002.419345105.0000000000568000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000006.00000002.485746581.00000000056CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356276020.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.434205628.00000000060E2000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000003.00000002.406017200.000000000051B000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000004.00000002.419345105.0000000000568000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000006.00000002.485746581.00000000056CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356276020.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.434205628.00000000060E2000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000003.00000002.406017200.000000000051B000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000004.00000002.419345105.0000000000568000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000006.00000002.485746581.00000000056CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356276020.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.434205628.00000000060E2000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000003.00000002.406017200.000000000051B000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000004.00000002.419345105.0000000000568000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000006.00000002.485746581.00000000056CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356276020.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.434205628.00000000060E2000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000003.00000002.406017200.000000000051B000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000004.00000002.419345105.0000000000568000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000006.00000002.485746581.00000000056CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, Kbojz.exe.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Kbojz.exe, 00000006.00000002.478817595.000000000246E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dual-spov-0006.spov-dc-msedge.net
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.420675930.000000000244C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dual-spov-0006.spov-msedge.net
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.420675930.0000000002481000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://l-0003.l-msedge.net
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356276020.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.434205628.00000000060E2000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000003.00000002.406017200.000000000051B000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000004.00000002.419345105.0000000000568000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000006.00000002.485746581.00000000056CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356276020.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.434205628.00000000060CA000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000003.00000002.406017200.000000000051B000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000004.00000002.419345105.0000000000568000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000006.00000002.485746581.00000000056CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356276020.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.434205628.00000000060E2000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000003.00000002.406017200.000000000051B000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000004.00000002.419345105.0000000000568000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000006.00000002.485746581.00000000056CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356276020.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.434205628.00000000060E2000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000003.00000002.406017200.000000000051B000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000004.00000002.419345105.0000000000568000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000006.00000002.485746581.00000000056CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356276020.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.434205628.00000000060CA000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000003.00000002.406017200.000000000051B000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000004.00000002.419345105.0000000000568000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000006.00000002.485746581.00000000056CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356276020.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.434205628.00000000060E2000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000003.00000002.406017200.000000000051B000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000004.00000002.419345105.0000000000568000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000006.00000002.485746581.00000000056CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356276020.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.434205628.00000000060E2000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000003.00000002.406017200.000000000051B000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000004.00000002.419345105.0000000000568000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000006.00000002.485746581.00000000056CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, Kbojz.exe.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.420675930.000000000244C000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000006.00000002.478817595.000000000246E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://onedrive.live.com
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, Kbojz.exe.0.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, Kbojz.exe.0.dr	String found in binary or memory: http://s.symcd.com06
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, Kbojz.exe.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, Kbojz.exe.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356481377.00000000020E1000.00000004.00000800.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.420675930.0000000002432000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000003.00000002.407176401.00000000022D1000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000004.00000002.420766544.000000000221D000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000006.00000002.478817595.0000000002453000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, Kbojz.exe.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, Kbojz.exe.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, Kbojz.exe.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, Kbojz.exe.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, Kbojz.exe.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, Kbojz.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, Kbojz.exe.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, Kbojz.exe.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, Kbojz.exe.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.420675930.0000000002481000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://utqurw.am.files.1drv.com
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, Kbojz.exe.0.dr	String found in binary or memory: http://www.apple.com/
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.434522188.0000000006180000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/DotNetZip
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356276020.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.434205628.00000000060E2000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000003.00000002.406017200.000000000051B000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000004.00000002.419345105.0000000000568000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000006.00000002.485746581.00000000056CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356276020.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.434205628.00000000060E2000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000003.00000002.406017200.000000000051B000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000004.00000002.419345105.0000000000568000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000006.00000002.485746581.00000000056CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: Uwdvtizbx.tmpdb.2.dr	String found in binary or memory: http://www.mozilla.org/2005/made-up-favicon/0-1508238359936
Source: Eiakizpyayx.tmpdb.6.dr, Uwdvtizbx.tmpdb.2.dr	String found in binary or memory: http://www.mozilla.org/2005/made-up-favicon/1-1508238359942
Source: Eiakizpyayx.tmpdb.6.dr, Uwdvtizbx.tmpdb.2.dr	String found in binary or memory: http://www.mozilla.org/2005/made-up-favicon/2-1508238359945
Source: Eiakizpyayx.tmpdb.6.dr, Uwdvtizbx.tmpdb.2.dr	String found in binary or memory: http://www.mozilla.org/2005/made-up-favicon/3-1508238359948
Source: Eiakizpyayx.tmpdb.6.dr, Uwdvtizbx.tmpdb.2.dr	String found in binary or memory: http://www.mozilla.org/2005/made-up-favicon/4-1508238359950
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, Kbojz.exe.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, Kbojz.exe.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: Oazzuwge.tmpdb.6.dr, Stygcpda.tmpdb.6.dr, Zlxloj.tmpdb.2.dr, Buyeg.tmpdb.2.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.420675930.0000000002251000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000005.00000002.471133740.0000000002362000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000006.00000002.478817595.0000000002271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://archive.torproject.org/tor-package-archive/torbrowser/13.0.9/tor-expert-bundle-windows-i686-
Source: Oazzuwge.tmpdb.6.dr, Stygcpda.tmpdb.6.dr, Zlxloj.tmpdb.2.dr, Buyeg.tmpdb.2.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, Kbojz.exe.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: Kbojz.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, Kbojz.exe.0.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: Oazzuwge.tmpdb.6.dr, Stygcpda.tmpdb.6.dr, Zlxloj.tmpdb.2.dr, Buyeg.tmpdb.2.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Oazzuwge.tmpdb.6.dr, Stygcpda.tmpdb.6.dr, Zlxloj.tmpdb.2.dr, Buyeg.tmpdb.2.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Oazzuwge.tmpdb.6.dr, Stygcpda.tmpdb.6.dr, Zlxloj.tmpdb.2.dr, Buyeg.tmpdb.2.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.359012875.0000000004190000.00000004.08000000.00040000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356858296.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356481377.0000000002436000.00000004.00000800.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.424766179.0000000003925000.00000004.00000800.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.424766179.0000000003BE0000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000003.00000002.407176401.00000000025FD000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000003.00000002.410066207.0000000003301000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000004.00000002.420766544.0000000002577000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000005.00000002.471133740.0000000002362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.359012875.0000000004190000.00000004.08000000.00040000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356858296.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356481377.000000000241E000.00000004.00000800.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356481377.0000000002436000.00000004.00000800.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.424766179.0000000003925000.00000004.00000800.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.424766179.0000000003BE0000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000003.00000002.407176401.00000000025FD000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000003.00000002.410066207.0000000003301000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000003.00000002.407176401.00000000025DF000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000004.00000002.420766544.0000000002577000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000005.00000002.471133740.0000000002362000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000005.00000002.472630617.0000000003CC6000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000006.00000002.482725847.0000000003C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.359012875.0000000004190000.00000004.08000000.00040000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356858296.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356481377.0000000002436000.00000004.00000800.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.424766179.0000000003925000.00000004.00000800.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.424766179.0000000003BE0000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000003.00000002.407176401.00000000025FD000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000003.00000002.410066207.0000000003301000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000004.00000002.420766544.0000000002577000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000005.00000002.471133740.0000000002362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356481377.000000000213C000.00000004.00000800.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.420675930.0000000002444000.00000004.00000800.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.420675930.0000000002432000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000003.00000002.407176401.00000000022D1000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000004.00000002.420766544.000000000221D000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000006.00000002.478817595.0000000002465000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000006.00000002.478817595.0000000002453000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com
Source: Kbojz.exe, 00000006.00000002.478817595.0000000002453000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/download?resid=26943FEBC022618F
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, Kbojz.exe.0.dr	String found in binary or memory: https://onedrive.live.com/download?resid=26943FEBC022618F%21479&authkey=
Source: Kbojz.exe, 00000006.00000002.478817595.0000000002453000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/download?resid=26943FEBC022618F%21481&authkey=
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356481377.0000000002128000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000003.00000002.407176401.000000000231A000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000004.00000002.420766544.000000000225A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://public.am.files.1drv.com
Source: Kbojz.exe, 00000004.00000002.420766544.00000000022C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://public.am.files.1drv.com/y4mAdtlexFWsAsM5m_v175jQDQZ3JlPlheZX222y4JutpDgoqJHt5wLr_wX4GD45dXi
Source: Kbojz.exe, 00000003.00000002.407176401.000000000231A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://public.am.files.1drv.com/y4mQE8Cn-ey22tLqFzNP6Bvc0YOHW16UYVvHKAtb_HbiHHBX320gCSUBo3NE91NAaiU
Source: Kbojz.exe, 00000004.00000002.420766544.000000000225A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://public.am.files.1drv.com/y4msme9eT8kXrOR-7wV9kiBohdMur1Lbs151ysdQuqKOSsl3mAiWGdSV3LP6WqYY9va
Source: Oazzuwge.tmpdb.6.dr, Stygcpda.tmpdb.6.dr, Zlxloj.tmpdb.2.dr, Buyeg.tmpdb.2.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: Oazzuwge.tmpdb.6.dr, Stygcpda.tmpdb.6.dr, Zlxloj.tmpdb.2.dr, Buyeg.tmpdb.2.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356276020.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.434205628.00000000060CA000.00000004.00000020.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.434205628.00000000060E2000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000003.00000002.406017200.000000000051B000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000004.00000002.419345105.0000000000568000.00000004.00000020.00020000.00000000.sdmp, Kbojz.exe, 00000006.00000002.485746581.00000000056CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.420675930.00000000024E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://skydrive.live.com
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.420675930.0000000002466000.00000004.00000800.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.420675930.000000000244C000.00000004.00000800.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.420675930.00000000024E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://skydrive.live.com/redir.aspx?resid=26943FEBC022618F%21481&avres=Infected&averror=SUCCESS&vin
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.359012875.0000000004190000.00000004.08000000.00040000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356858296.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356481377.0000000002436000.00000004.00000800.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.424766179.0000000003925000.00000004.00000800.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.424766179.0000000003BE0000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000003.00000002.407176401.00000000025FD000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000003.00000002.410066207.0000000003301000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000004.00000002.420766544.0000000002577000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000005.00000002.471133740.0000000002362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Kbojz.exe, 00000005.00000002.471133740.0000000002362000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000006.00000002.478817595.0000000002271000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.359012875.0000000004190000.00000004.08000000.00040000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356858296.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.424766179.0000000003925000.00000004.00000800.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.424766179.0000000003BE0000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000003.00000002.410066207.0000000003301000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.420675930.000000000246E000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000006.00000002.478817595.0000000002490000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://utqurw.am.files.1drv.com
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.420675930.000000000246E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://utqurw.am.files.1drv.com/y4mFbMW97TPAIW_iquyB-Ao69Foeiu4Lp0Em3x5_9O_Ik0LysS9rZcK8ox-X1Eantad
Source: Kbojz.exe, 00000006.00000002.478817595.0000000002490000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://utqurw.am.files.1drv.com/y4ms_vWzniFUJaBcF0Y1jNwvuu_3iedMM7s1JmtuLb_AtOzVrcYjTWzJYemZ-gol7I6
Source: Buyeg.tmpdb.2.dr	String found in binary or memory: https://www.google.com/favicon.ico
Source: Ntxfuk.tmpdb.6.dr	String found in binary or memory: https://www.google.com/search?q=net
Source: Ntxfuk.tmpdb.6.dr	String found in binary or memory: https://www.google.com/search?q=test&oq=test&aqs=chrome..69i57j46j0l3j46j0.427j0j7&sourceid=chrome&i
Source: Ntxfuk.tmpdb.6.dr	String found in binary or memory: https://www.google.com/search?q=wmf
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.420675930.0000000002251000.00000004.00000800.00020000.00000000.sdmp, UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.420675930.00000000023F8000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000006.00000002.478817595.0000000002271000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000006.00000002.482725847.0000000003FB7000.00000004.00000800.00020000.00000000.sdmp, Kbojz.exe, 00000006.00000002.478817595.0000000002418000.00000004.00000800.00020000.00000000.sdmp, Kcidab.tmpdb.6.dr, Rdlgtuxmdrq.tmpdb.2.dr, Owotczgukzq.tmpdb.2.dr, Urmvri.tmpdb.2.dr, Rgcgvjqbqci.tmpdb.6.dr, Ntxfuk.tmpdb.6.dr	String found in binary or memory: https://www.google.com/sorry/index
Source: Ntxfuk.tmpdb.6.dr	String found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dtest%26oq%3Dtest%26a
Source: Ntxfuk.tmpdb.6.dr	String found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dwmf%2B5.1%26oq%3Dwmf
Source: Kbojz.exe, 00000006.00000002.482725847.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp, Kcidab.tmpdb.6.dr, Rdlgtuxmdrq.tmpdb.2.dr, Owotczgukzq.tmpdb.2.dr, Urmvri.tmpdb.2.dr, Rgcgvjqbqci.tmpdb.6.dr, Ntxfuk.tmpdb.6.dr	String found in binary or memory: https://www.google.com/sorry/indextest
Source: Eiakizpyayx.tmpdb.6.dr, Uwdvtizbx.tmpdb.2.dr	String found in binary or memory: https://www.mozilla.org/en-US/about/gro.allizom.www.
Source: Eiakizpyayx.tmpdb.6.dr, Uwdvtizbx.tmpdb.2.dr	String found in binary or memory: https://www.mozilla.org/en-US/contribute/gro.allizom.www.
Source: Eiakizpyayx.tmpdb.6.dr, Uwdvtizbx.tmpdb.2.dr	String found in binary or memory: https://www.mozilla.org/en-US/firefox/central/gro.allizom.www.
Source: Eiakizpyayx.tmpdb.6.dr, Uwdvtizbx.tmpdb.2.dr	String found in binary or memory: https://www.mozilla.org/en-US/firefox/customize/gro.allizom.www.
Source: Eiakizpyayx.tmpdb.6.dr, Uwdvtizbx.tmpdb.2.dr	String found in binary or memory: https://www.mozilla.org/en-US/firefox/help/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49184 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49184
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 443

Source: unknown	HTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.22:49175 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.22:49178 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.137.11:443 -> 192.168.2.22:49179 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 150.171.41.11:443 -> 192.168.2.22:49184 version: TLS 1.2

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.4250000.11.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 2.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.3edf930.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 2.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.3dff8d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 2.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.3edf930.9.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 2.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.4250000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 2.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.3e5f910.6.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 2.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.3e1f8f0.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 2.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.3e5f910.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000002.00000002.431328729.0000000004250000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects zgRAT Author: ditekSHen

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Memory allocated: 770B0000 page execute and read and write

Detected potential crypto function

Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 0_2_004CE8E0	0_2_004CE8E0
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 0_2_004CE628	0_2_004CE628
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 0_2_01EFF6B8	0_2_01EFF6B8
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 0_2_01EF4790	0_2_01EF4790
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 0_2_01F00FA8	0_2_01F00FA8
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 0_2_01F0A330	0_2_01F0A330
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 0_2_01F0A320	0_2_01F0A320
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 0_2_01F1B040	0_2_01F1B040
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 0_2_01F10040	0_2_01F10040
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 0_2_01F1142C	0_2_01F1142C
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 0_2_01F15110	0_2_01F15110
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 0_2_01F150FF	0_2_01F150FF
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 0_2_01F14080	0_2_01F14080
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 0_2_01F14070	0_2_01F14070
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 0_2_01F10006	0_2_01F10006
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 0_2_01F19C60	0_2_01F19C60
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 0_2_01F19C50	0_2_01F19C50
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 0_2_046AB4B0	0_2_046AB4B0
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 0_2_046A8178	0_2_046A8178
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 0_2_046AC6B0	0_2_046AC6B0
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 0_2_046AB7D7	0_2_046AB7D7
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 0_2_046A0040	0_2_046A0040
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 0_2_046A0022	0_2_046A0022
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 0_2_04C80040	0_2_04C80040
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 0_2_04C80006	0_2_04C80006
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 0_2_058CD650	0_2_058CD650
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 0_2_058B0006	0_2_058B0006
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 0_2_058B0040	0_2_058B0040
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 0_2_058CCAA8	0_2_058CCAA8
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_001E9608	2_2_001E9608
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_001E1019	2_2_001E1019
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_001E1028	2_2_001E1028
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_004F3BF8	2_2_004F3BF8
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_004F3BD7	2_2_004F3BD7
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_006045D0	2_2_006045D0
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_00607A48	2_2_00607A48
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_00605600	2_2_00605600
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_006048F7	2_2_006048F7
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_00619958	2_2_00619958
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_00614DF8	2_2_00614DF8
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_00B2D630	2_2_00B2D630
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_04DCBF08	2_2_04DCBF08
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_04DCB2F0	2_2_04DCB2F0
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_04DCB638	2_2_04DCB638
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_04DC3770	2_2_04DC3770
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_04DC5968	2_2_04DC5968
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_04EF5DC0	2_2_04EF5DC0
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_04EFAEC8	2_2_04EFAEC8
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 3_2_005FE8E0	3_2_005FE8E0
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 3_2_005FE628	3_2_005FE628
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 3_2_020F4798	3_2_020F4798
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 3_2_02150040	3_2_02150040
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 3_2_0215142C	3_2_0215142C
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 3_2_0215B448	3_2_0215B448
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 3_2_02150006	3_2_02150006
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 3_2_0215A058	3_2_0215A058
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 3_2_0215A068	3_2_0215A068
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 3_2_02154478	3_2_02154478
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 3_2_02154488	3_2_02154488
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 3_2_02155518	3_2_02155518
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 3_2_02155507	3_2_02155507
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 3_2_021A07C0	3_2_021A07C0
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 3_2_021A9B38	3_2_021A9B38
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 3_2_021A9B28	3_2_021A9B28
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 3_2_021A07B0	3_2_021A07B0
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 3_2_021AA124	3_2_021AA124
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 3_2_04D0B4A0	3_2_04D0B4A0
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 3_2_04D0EEF0	3_2_04D0EEF0
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 3_2_04D0C698	3_2_04D0C698
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 3_2_04D0B7C7	3_2_04D0B7C7
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 3_2_04D00040	3_2_04D00040
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 3_2_04D0001F	3_2_04D0001F
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 3_2_04D08178	3_2_04D08178
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 3_2_052C0040	3_2_052C0040
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 3_2_05C0D248	3_2_05C0D248
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 3_2_05BF003B	3_2_05BF003B
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 3_2_05BF0040	3_2_05BF0040
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 3_2_05C0C6A0	3_2_05C0C6A0
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4_2_006BE8E0	4_2_006BE8E0
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4_2_006BE628	4_2_006BE628
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4_2_01F60048	4_2_01F60048
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4_2_01FD0040	4_2_01FD0040
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4_2_01FDB448	4_2_01FDB448
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4_2_01FD142C	4_2_01FD142C
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4_2_01FDA068	4_2_01FDA068
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4_2_01FDA058	4_2_01FDA058
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4_2_01FD0006	4_2_01FD0006
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4_2_01FD5518	4_2_01FD5518
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4_2_01FD5507	4_2_01FD5507
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4_2_01FD4488	4_2_01FD4488
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4_2_01FD4478	4_2_01FD4478
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4_2_02014798	4_2_02014798
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4_2_020307C0	4_2_020307C0
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4_2_02039B28	4_2_02039B28
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4_2_02039B38	4_2_02039B38
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4_2_020307B0	4_2_020307B0
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4_2_0203A124	4_2_0203A124
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4_2_04E0B4A0	4_2_04E0B4A0
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4_2_04E0EF80	4_2_04E0EF80
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4_2_04E0C698	4_2_04E0C698
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4_2_04E0B7C7	4_2_04E0B7C7
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4_2_04E00040	4_2_04E00040
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4_2_04E0001F	4_2_04E0001F
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4_2_04E08168	4_2_04E08168
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4_2_04E08178	4_2_04E08178
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4_2_05400040	4_2_05400040
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4_2_05400027	4_2_05400027
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4_2_0721D248	4_2_0721D248
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4_2_0721C6A0	4_2_0721C6A0
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4_2_07200007	4_2_07200007
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Code function: 4_2_07200040	4_2_07200040

PE / OLE file has an invalid certificate

Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 2.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.4250000.11.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 2.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.3edf930.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 2.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.3dff8d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 2.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.3edf930.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 2.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.4250000.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 2.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.3e5f910.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 2.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.3e1f8f0.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 2.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.3e5f910.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000002.00000002.431328729.0000000004250000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: 0.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.32afd50.5.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.32afd50.5.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.32afd50.5.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.32afd50.5.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.51b0000.10.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.51b0000.10.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 0.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.51b0000.10.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.32afd50.5.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.32afd50.5.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.32afd50.5.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.32afd50.5.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.32afd50.5.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.51b0000.10.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.32afd50.5.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.51b0000.10.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.51b0000.10.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.51b0000.10.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.51b0000.10.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winSCR@9/24@61/3

Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr

File created: C:\Users\user\AppData\Roaming\Kbojz.exe

Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356481377.00000000023AB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs UGS - CRO REQ - KHIDUBAI (OPL-841724).scr
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356481377.00000000023AB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameEpqbjur.exe. vs UGS - CRO REQ - KHIDUBAI (OPL-841724).scr
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.359012875.0000000004190000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs UGS - CRO REQ - KHIDUBAI (OPL-841724).scr
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356858296.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs UGS - CRO REQ - KHIDUBAI (OPL-841724).scr
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000000.333331154.0000000000084000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEpqbjur.exe. vs UGS - CRO REQ - KHIDUBAI (OPL-841724).scr
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356481377.00000000021F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXvpwbop.exe" vs UGS - CRO REQ - KHIDUBAI (OPL-841724).scr
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356481377.00000000021F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs UGS - CRO REQ - KHIDUBAI (OPL-841724).scr
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.359476734.0000000007180000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameQhvpifi.dll" vs UGS - CRO REQ - KHIDUBAI (OPL-841724).scr
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.359148679.00000000051B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs UGS - CRO REQ - KHIDUBAI (OPL-841724).scr
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356481377.000000000241E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs UGS - CRO REQ - KHIDUBAI (OPL-841724).scr
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.359319298.0000000005D54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameEpqbjur.exe. vs UGS - CRO REQ - KHIDUBAI (OPL-841724).scr
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356858296.0000000003259000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs UGS - CRO REQ - KHIDUBAI (OPL-841724).scr
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356276020.0000000000784000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs UGS - CRO REQ - KHIDUBAI (OPL-841724).scr
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.356481377.0000000002436000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs UGS - CRO REQ - KHIDUBAI (OPL-841724).scr
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.431328729.0000000004250000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameClassLibrary1.dll" vs UGS - CRO REQ - KHIDUBAI (OPL-841724).scr
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.424766179.0000000003925000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDglpobuyba.dll" vs UGS - CRO REQ - KHIDUBAI (OPL-841724).scr
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.424766179.0000000003925000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs UGS - CRO REQ - KHIDUBAI (OPL-841724).scr
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.424766179.0000000003EDF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClassLibrary1.dll" vs UGS - CRO REQ - KHIDUBAI (OPL-841724).scr
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.420150231.0000000000864000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs UGS - CRO REQ - KHIDUBAI (OPL-841724).scr
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.424766179.0000000003C53000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClassLibrary1.dll" vs UGS - CRO REQ - KHIDUBAI (OPL-841724).scr
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.434522188.0000000006180000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDotNetZip.dll@ vs UGS - CRO REQ - KHIDUBAI (OPL-841724).scr
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.424766179.0000000003BE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs UGS - CRO REQ - KHIDUBAI (OPL-841724).scr
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.420675930.0000000002251000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs UGS - CRO REQ - KHIDUBAI (OPL-841724).scr
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.424766179.0000000003830000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDglpobuyba.dll" vs UGS - CRO REQ - KHIDUBAI (OPL-841724).scr
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.431703132.00000000046B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDglpobuyba.dll" vs UGS - CRO REQ - KHIDUBAI (OPL-841724).scr
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.418995567.00000000004D4000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXvpwbop.exe" vs UGS - CRO REQ - KHIDUBAI (OPL-841724).scr
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Binary or memory string: OriginalFilenameEpqbjur.exe. vs UGS - CRO REQ - KHIDUBAI (OPL-841724).scr

Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Mutant created: \Sessions\1\BaseNamedObjects\f6f8b153ecbd01c8

Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: unknown	Process created: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr "C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr" /S
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Process created: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr "C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Kbojz.exe "C:\Users\user\AppData\Roaming\Kbojz.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Kbojz.exe "C:\Users\user\AppData\Roaming\Kbojz.exe"
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Process created: C:\Users\user\AppData\Roaming\Kbojz.exe "C:\Users\user\AppData\Roaming\Kbojz.exe"
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Process created: C:\Users\user\AppData\Roaming\Kbojz.exe "C:\Users\user\AppData\Roaming\Kbojz.exe"
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Process created: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr "C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Process created: C:\Users\user\AppData\Roaming\Kbojz.exe "C:\Users\user\AppData\Roaming\Kbojz.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Process created: C:\Users\user\AppData\Roaming\Kbojz.exe "C:\Users\user\AppData\Roaming\Kbojz.exe"	Jump to behavior

Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: credssp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: wbemcomn2.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: credssp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: wow64win.dll
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: wow64cpu.dll
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: wow64win.dll
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: wow64cpu.dll
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: bcrypt.dll
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: rpcrtremote.dll
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: wbemcomn2.dll
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: ntdsapi.dll
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: credssp.dll
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Section loaded: gpapi.dll

Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, Program.cs	.Net Code: DisplayResult System.AppDomain.Load(byte[])
Source: Kbojz.exe.0.dr, Program.cs	.Net Code: DisplayResult System.AppDomain.Load(byte[])
Source: 0.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.3209550.4.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.3209550.4.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.3209550.4.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.3209550.4.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.3209550.4.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.23d283c.1.raw.unpack, Program.cs	.Net Code: DisplayResult System.AppDomain.Load(byte[])
Source: 0.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.32afd50.5.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.32afd50.5.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.32afd50.5.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.51b0000.10.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.51b0000.10.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.51b0000.10.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Source: Yara match	File source: 3.2.Kbojz.exe.37a86e0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Kbojz.exe.37efeb0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.4cf0000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.6010000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Kbojz.exe.37a86e0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.640000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.3acec70.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.UGS - CRO REQ - KHIDUBAI (OPL-841724).scr.3925230.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Kbojz.exe.3351590.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Kbojz.exe.392fed0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.419873303.0000000000640000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.407176401.00000000025FD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.424766179.0000000003925000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.407176401.0000000002384000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.420766544.0000000002577000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.420766544.00000000022E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.359357988.0000000006010000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.356481377.00000000021F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.432614615.0000000004CF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.478817595.0000000002271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.356481377.0000000002436000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.420675930.0000000002251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.471133740.0000000002362000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.410066207.000000000392F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.410066207.0000000003351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr PID: 3224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr PID: 3372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kbojz.exe PID: 3552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kbojz.exe PID: 3652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kbojz.exe PID: 3752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Kbojz.exe PID: 3840, type: MEMORYSTR

Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 0_2_046A35E8 push ebp; retf	0_2_046A35EF
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 0_2_046A3623 push ds; retf	0_2_046A3626
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 0_2_046A60C3 push 00000004h; iretd	0_2_046A60D0
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 0_2_046A7104 push esp; ret	0_2_046A7109
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 0_2_04C83E65 pushad ; ret	0_2_04C83E68
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 0_2_04C81B9B push ecx; retf	0_2_04C81B9C
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 0_2_058B3DB3 push ebx; ret	0_2_058B3DB4
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 0_2_058B6903 push edi; retf	0_2_058B6906
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_001E5370 push esp; ret	2_2_001E5379
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_00609972 push edi; ret	2_2_00609973
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_00609975 push edi; ret	2_2_00609993
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_0060995F push edi; ret	2_2_006099E3
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_0060995F push esi; ret	2_2_00609A43
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_0060995F push esi; ret	2_2_00609AA3
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_0060995F push esi; ret	2_2_00609AF3
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_0060995F push ebp; ret	2_2_00609B43
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_006099E0 push edi; ret	2_2_006099F3
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_006099A5 push esi; ret	2_2_00609A43
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_006099A5 push esi; ret	2_2_00609AA3
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_006099A5 push esi; ret	2_2_00609AE3
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_006099A5 push ebp; ret	2_2_00609B43
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_00609995 push edi; ret	2_2_00609993
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_00609995 push edi; ret	2_2_006099A3
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_00609A72 push esi; ret	2_2_00609A73
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_00609A45 push ebp; ret	2_2_00609B43
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_00609AE0 push esi; ret	2_2_00609AF3
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_00609B00 push ebp; ret	2_2_00609B43
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_00608D33 push esp; ret	2_2_00608D38
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_00608D14 push esp; ret	2_2_00608D19
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_00608DFA push ebx; ret	2_2_00608DFB
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Code function: 2_2_00608DC7 push ebx; ret	2_2_00608DC8

Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior

Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	File created: \ugs - cro req - khidubai (opl-841724).scr
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	File created: \ugs - cro req - khidubai (opl-841724).scr			Jump to behavior

Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Kbojz			Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Kbojz			Jump to behavior

Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Memory allocated: 1E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Memory allocated: 20E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Memory allocated: 1DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Memory allocated: 6010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Memory allocated: 7010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Memory allocated: 1E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Memory allocated: 2250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Memory allocated: 360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Memory allocated: 210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Memory allocated: 22D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Memory allocated: 760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Memory allocated: 5F30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Memory allocated: 6F30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Memory allocated: 1E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Memory allocated: 2210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Memory allocated: 1F40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Memory allocated: 5D70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Memory allocated: 6D70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Memory allocated: 1E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Memory allocated: 22F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Memory allocated: 740000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Memory allocated: 1F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Memory allocated: 2270000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Memory allocated: 1F0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Window / User API: threadDelayed 9241	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Window / User API: threadDelayed 563	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Window / User API: threadDelayed 4303	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Window / User API: threadDelayed 1532	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Window / User API: threadDelayed 762	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Window / User API: threadDelayed 5907	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Window / User API: threadDelayed 1089	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Window / User API: threadDelayed 3288	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Window / User API: threadDelayed 798
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Window / User API: threadDelayed 2658

Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr TID: 3324	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr TID: 3324	Thread sleep time: -7200000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr TID: 3328	Thread sleep count: 9241 > 30	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr TID: 3328	Thread sleep count: 563 > 30	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr TID: 3416	Thread sleep count: 4303 > 30	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr TID: 3408	Thread sleep count: 1532 > 30	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr TID: 3508	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr TID: 3824	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr TID: 3824	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr TID: 3388	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe TID: 3620	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe TID: 3620	Thread sleep time: -8400000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe TID: 3624	Thread sleep count: 762 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe TID: 3624	Thread sleep count: 5907 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe TID: 3620	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe TID: 3564	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe TID: 3804	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe TID: 3804	Thread sleep time: -7200000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe TID: 3808	Thread sleep count: 1089 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe TID: 3808	Thread sleep count: 3288 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe TID: 3804	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe TID: 3664	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe TID: 3768	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Kbojz.exe TID: 3880	Thread sleep count: 798 > 30
Source: C:\Users\user\AppData\Roaming\Kbojz.exe TID: 3888	Thread sleep count: 2658 > 30
Source: C:\Users\user\AppData\Roaming\Kbojz.exe TID: 3932	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Kbojz.exe TID: 3912	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Kbojz.exe TID: 4068	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Users\user\AppData\Roaming\Kbojz.exe TID: 4068	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Kbojz.exe TID: 3864	Thread sleep time: -922337203685477s >= -30000s

Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.424766179.0000000003C53000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: pCnWVMciWU
Source: Kbojz.exe, 00000006.00000002.478817595.0000000002271000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: Kbojz.exe, 00000004.00000002.420766544.00000000022E5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: Kbojz.exe, 00000006.00000002.478817595.0000000002271000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual

Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Memory written: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Memory written: C:\Users\user\AppData\Roaming\Kbojz.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Memory written: C:\Users\user\AppData\Roaming\Kbojz.exe base: 400000 value starts with: 4D5A	Jump to behavior

Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Queries volume information: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Queries volume information: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Queries volume information: C:\Users\user\AppData\Roaming\Kbojz.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Queries volume information: C:\Users\user\AppData\Roaming\Kbojz.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Queries volume information: C:\Users\user\AppData\Roaming\Kbojz.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Queries volume information: C:\Users\user\AppData\Roaming\Kbojz.exe VolumeInformation

Windows Analysis Report UGS - CRO REQ - KHIDUBAI (OPL-841724).scr

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
UGS - CRO REQ - KHIDUBAI (OPL-841724).scr

Malware Threat Intel
Provided by

Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.420675930.0000000002251000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.424766179.0000000003925000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: JwjpjAXX2iPkLxCgj32
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.420675930.0000000002251000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus Web3
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000002.00000002.420675930.0000000002251000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: UGS - CRO REQ - KHIDUBAI (OPL-841724).scr, 00000000.00000002.359476734.0000000007180000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore

Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt	Jump to behavior
Source: C:\Users\user\Desktop\UGS - CRO REQ - KHIDUBAI (OPL-841724).scr	Key opened: HKEY_CURRENT_USER\Software\monero-project\monero-core	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	Key opened: HKEY_CURRENT_USER\Software\monero-project\monero-core

Source: C:\Users\user\AppData\Roaming\Kbojz.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\places.sqlite
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cookies.sqlite
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\Kbojz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies

IP	Domain	Country	ASN	ASN Name	Malicious
150.171.41.11	dual-spov-0006.spov-dc-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
13.107.137.11	dual-spov-0006.spov-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
80.85.152.161	unknown	Russian Federation	44493	CHELYABINSK-SIGNAL-ASRU	false

Name	IP	Active
dual-spov-0006.spov-msedge.net	13.107.137.11	true
dual-spov-0006.spov-dc-msedge.net	150.171.41.11	true
public.am.files.1drv.com	unknown	unknown
utqurw.am.files.1drv.com	unknown	unknown
onedrive.live.com	unknown	unknown
skydrive.live.com	unknown	unknown
63.155.11.0.in-addr.arpa	unknown	unknown

Name	Malicious	Antivirus Detection	Reputation
https://onedrive.live.com/download?resid=26943FEBC022618F%21479&authkey=!APRD0RAPKJuy4WE	false		high
https://onedrive.live.com/download?resid=26943FEBC022618F%21481&authkey=!AJjxgOKv6NEIF-A	false		high

ID:	1428798
Product:	CloudBasic
Start time:	16:15:58
Start date:	19.04.2024
Sample:	UGS - CRO REQ - KHIDUBAI (OPL-841724).scr
Cookbook:	default.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	f99dc4d2e045ae0bbc169fff12a5c6d5
SHA1:	c3a4a89907201776e9ad38fc63573522e0d233f1
SHA256:	e4726c4cad6dd043e87289a51733a6627b2abf1ae88b70458c9674ef4669540c
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\Buyeg.tmpdb	SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 10, database pages 37, cookie 0x2f, schema 4, UTF-8, version-valid-for 10	8BB4851AE9495C7F93B4D8A6566E64DB	B16C29E9DBBC1E1FE5279D593811E9E317D26AF7	143AD87B1104F156950A14481112E79682AAD645687DF5E8C9232F4B2786D790
C:\Users\user\AppData\Local\Temp\Cocwtjozfrv.tmpdb	SQLite 3.x database, last written using SQLite version 3008001, file counter 24, database pages 5, cookie 0xf, schema 4, UTF-8, version-valid-for 24	1623709C6B2FB813984B1265C26A85F1	CCE4DDBE93E97E68359CB6FD71242F796A785F86	88BCF762A75F085ECD3B12EB2BA81B81A7F8C9CDDDD4DED624BA28566EB7EEAA
C:\Users\user\AppData\Local\Temp\Eiakizpyayx.tmpdb	SQLite 3.x database, user version 35, last written using SQLite version 3008001, page size 32768, writer version 2, read version 2, file counter 3, database pages 35, cookie 0x1d, schema 4, UTF-8, version-valid-for 3	E28514A583D6F83F8C67CA62CB891CA7	4107934697F0891B26B16A6E0D9795271353355C	B41E251C18B2B1CDD79E33F0B3AB12EAD8EF257969E26BFBB06DB7C70E9E0FFC
C:\Users\user\AppData\Local\Temp\Eyyfpwdpwe.tmpdb	SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 3, database pages 20, cookie 0x15, schema 4, UTF-8, version-valid-for 3	CD5ACB5FAA79EEB4CDB481C6939EEC15	527F3091889C553B87B6BC0180E903E2931CCCFE	D86AE09AC801C92AF3F2A18515F0C6ACBFA162671A7925405590CA4959B51E96
C:\Users\user\AppData\Local\Temp\Jalcxg.tmpdb	SQLite 3.x database, last written using SQLite version 3008001, file counter 24, database pages 5, cookie 0xf, schema 4, UTF-8, version-valid-for 24	1623709C6B2FB813984B1265C26A85F1	CCE4DDBE93E97E68359CB6FD71242F796A785F86	88BCF762A75F085ECD3B12EB2BA81B81A7F8C9CDDDD4DED624BA28566EB7EEAA
C:\Users\user\AppData\Local\Temp\Kcidab.tmpdb	SQLite 3.x database, last written using SQLite version 3008001, file counter 13, database pages 30, 1st free page 27, free pages 1, cookie 0x1e, schema 4, UTF-8, version-valid-for 13	9DEFC75D6086CCDBE05ED9EE2159CF84	BCF6B1893581F2420564160F784E47E91946269A	04F89C6DE1CA272A5019395A923DEAE68D5F47641AD5623606E3D092BAA7245A
C:\Users\user\AppData\Local\Temp\Mwcft.tmpdb	SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 3, database pages 20, cookie 0x15, schema 4, UTF-8, version-valid-for 3	CD5ACB5FAA79EEB4CDB481C6939EEC15	527F3091889C553B87B6BC0180E903E2931CCCFE	D86AE09AC801C92AF3F2A18515F0C6ACBFA162671A7925405590CA4959B51E96
C:\Users\user\AppData\Local\Temp\Nqzztyyufmf.tmp	SQLite 3.x database, last written using SQLite version 3008001, file counter 24, database pages 5, cookie 0xf, schema 4, UTF-8, version-valid-for 24	1623709C6B2FB813984B1265C26A85F1	CCE4DDBE93E97E68359CB6FD71242F796A785F86	88BCF762A75F085ECD3B12EB2BA81B81A7F8C9CDDDD4DED624BA28566EB7EEAA
C:\Users\user\AppData\Local\Temp\Ntxfuk.tmpdb	SQLite 3.x database, last written using SQLite version 3008001, file counter 13, database pages 30, 1st free page 27, free pages 1, cookie 0x1e, schema 4, UTF-8, version-valid-for 13	9DEFC75D6086CCDBE05ED9EE2159CF84	BCF6B1893581F2420564160F784E47E91946269A	04F89C6DE1CA272A5019395A923DEAE68D5F47641AD5623606E3D092BAA7245A
C:\Users\user\AppData\Local\Temp\Oazzuwge.tmpdb	SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 10, database pages 37, cookie 0x2f, schema 4, UTF-8, version-valid-for 10	8BB4851AE9495C7F93B4D8A6566E64DB	B16C29E9DBBC1E1FE5279D593811E9E317D26AF7	143AD87B1104F156950A14481112E79682AAD645687DF5E8C9232F4B2786D790
C:\Users\user\AppData\Local\Temp\Opnjh.tmpdb	SQLite 3.x database, user version 7, last written using SQLite version 3008001, page size 32768, writer version 2, read version 2, file counter 5, database pages 4, cookie 0x3, schema 4, UTF-8, version-valid-for 5	37F03D0EB1744FFEBCF26E3DB4A4280F	0B120B18B36AD6A64C27D3845A5871D10568C92E	4D7F53C9B0D3757074542B9EB246FA5242456418394DAD90D23CB0CE8D664040
C:\Users\user\AppData\Local\Temp\Owotczgukzq.tmpdb	SQLite 3.x database, last written using SQLite version 3008001, file counter 13, database pages 30, 1st free page 27, free pages 1, cookie 0x1e, schema 4, UTF-8, version-valid-for 13	9DEFC75D6086CCDBE05ED9EE2159CF84	BCF6B1893581F2420564160F784E47E91946269A	04F89C6DE1CA272A5019395A923DEAE68D5F47641AD5623606E3D092BAA7245A
C:\Users\user\AppData\Local\Temp\Pxmvdvdnhp.tmpdb	SQLite 3.x database, user version 7, last written using SQLite version 3008001, page size 32768, writer version 2, read version 2, file counter 5, database pages 4, cookie 0x3, schema 4, UTF-8, version-valid-for 5	37F03D0EB1744FFEBCF26E3DB4A4280F	0B120B18B36AD6A64C27D3845A5871D10568C92E	4D7F53C9B0D3757074542B9EB246FA5242456418394DAD90D23CB0CE8D664040
C:\Users\user\AppData\Local\Temp\Rdlgtuxmdrq.tmpdb	SQLite 3.x database, last written using SQLite version 3008001, file counter 13, database pages 30, 1st free page 27, free pages 1, cookie 0x1e, schema 4, UTF-8, version-valid-for 13	9DEFC75D6086CCDBE05ED9EE2159CF84	BCF6B1893581F2420564160F784E47E91946269A	04F89C6DE1CA272A5019395A923DEAE68D5F47641AD5623606E3D092BAA7245A
C:\Users\user\AppData\Local\Temp\Rgcgvjqbqci.tmpdb	SQLite 3.x database, last written using SQLite version 3008001, file counter 13, database pages 30, 1st free page 27, free pages 1, cookie 0x1e, schema 4, UTF-8, version-valid-for 13	9DEFC75D6086CCDBE05ED9EE2159CF84	BCF6B1893581F2420564160F784E47E91946269A	04F89C6DE1CA272A5019395A923DEAE68D5F47641AD5623606E3D092BAA7245A
C:\Users\user\AppData\Local\Temp\Stygcpda.tmpdb	SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 10, database pages 37, cookie 0x2f, schema 4, UTF-8, version-valid-for 10	8BB4851AE9495C7F93B4D8A6566E64DB	B16C29E9DBBC1E1FE5279D593811E9E317D26AF7	143AD87B1104F156950A14481112E79682AAD645687DF5E8C9232F4B2786D790
C:\Users\user\AppData\Local\Temp\Urmvri.tmpdb	SQLite 3.x database, last written using SQLite version 3008001, file counter 13, database pages 30, 1st free page 27, free pages 1, cookie 0x1e, schema 4, UTF-8, version-valid-for 13	9DEFC75D6086CCDBE05ED9EE2159CF84	BCF6B1893581F2420564160F784E47E91946269A	04F89C6DE1CA272A5019395A923DEAE68D5F47641AD5623606E3D092BAA7245A
C:\Users\user\AppData\Local\Temp\Uwdvtizbx.tmpdb	SQLite 3.x database, user version 35, last written using SQLite version 3008001, page size 32768, writer version 2, read version 2, file counter 3, database pages 35, cookie 0x1d, schema 4, UTF-8, version-valid-for 3	E28514A583D6F83F8C67CA62CB891CA7	4107934697F0891B26B16A6E0D9795271353355C	B41E251C18B2B1CDD79E33F0B3AB12EAD8EF257969E26BFBB06DB7C70E9E0FFC
C:\Users\user\AppData\Local\Temp\Vloljy\7xwghk55.default\key3.db	Berkeley DB 1.85 (Hash, version 2, native byte-order)	1DEFC9C4F8AFC884D5714DE065F88E3D	AE6ABD61EB9592F3804B80A0F4C4214AB2D85102	6F30E3E5BC88098596885E89B129B847646BBE16B7537FB2A0D876AA8515BF02
C:\Users\user\AppData\Local\Temp\Zfpoqrkrnxm.tmp	SQLite 3.x database, last written using SQLite version 3008001, file counter 24, database pages 5, cookie 0xf, schema 4, UTF-8, version-valid-for 24	1623709C6B2FB813984B1265C26A85F1	CCE4DDBE93E97E68359CB6FD71242F796A785F86	88BCF762A75F085ECD3B12EB2BA81B81A7F8C9CDDDD4DED624BA28566EB7EEAA
C:\Users\user\AppData\Local\Temp\Zlxloj.tmpdb	SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 10, database pages 37, cookie 0x2f, schema 4, UTF-8, version-valid-for 10	8BB4851AE9495C7F93B4D8A6566E64DB	B16C29E9DBBC1E1FE5279D593811E9E317D26AF7	143AD87B1104F156950A14481112E79682AAD645687DF5E8C9232F4B2786D790
C:\Users\user\AppData\Local\Temp\Zpbxo\7xwghk55.default\key3.db	Berkeley DB 1.85 (Hash, version 2, native byte-order)	1DEFC9C4F8AFC884D5714DE065F88E3D	AE6ABD61EB9592F3804B80A0F4C4214AB2D85102	6F30E3E5BC88098596885E89B129B847646BBE16B7537FB2A0D876AA8515BF02
C:\Users\user\AppData\Roaming\Kbojz.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	F99DC4D2E045AE0BBC169FFF12A5C6D5	C3A4A89907201776E9AD38FC63573522E0D233F1	E4726C4CAD6DD043E87289A51733A6627B2ABF1AE88B70458C9674EF4669540C
C:\Users\user\AppData\Roaming\Kbojz.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309