Windows Analysis Report
74fa486WVX.exe

Overview

General Information

Sample name:	74fa486WVX.exe renamed because original name is a hash value
Original sample name:	15ce9e885610d5b85500ea0d139f6d21.exe
Analysis ID:	1429048
MD5:	15ce9e885610d5b85500ea0d139f6d21
SHA1:	99f1392185a70453f33e15d6f5b75064217c2c18
SHA256:	95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e
Tags:	64exeStealc
Infos:

Detection

Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected AntiVM3

Yara detected Mars stealer

Yara detected PureLog Stealer

Yara detected Stealc

Yara detected UAC Bypass using CMSTP

Yara detected Vidar stealer

Yara detected zgRAT

Adds a directory exclusion to Windows Defender

Adds extensions / path to Windows Defender exclusion list (Registry)

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Creates HTML files with .exe extension (expired dropper behavior)

Disable Windows Defender real time protection (registry)

Disables UAC (registry)

Disables Windows Defender (deletes autostart)

Drops PE files to the document folder of the user

Drops script or batch files to the startup folder

Exclude list of file types from scheduled, custom, and real-time scanning

Found direct / indirect Syscall (likely to bypass EDR)

Found evasive API chain (may stop execution after checking locale)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Modifies Group Policy settings

Query firmware table information (likely to detect VMs)

Sample uses process hollowing technique

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Writes many files with high entropy

Writes to foreign memory regions

Yara detected Generic Downloader

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Creates or modifies windows services

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops certificate files (DER)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Windows Defender Exclusions Added - Registry

Stores files to the Windows start menu directory

Stores large binary data to the registry

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Signatures

AV Detection

Found malware configuration

Source: 0000000D.00000003.1746772797.0000000003590000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": "http://185.172.128.209/3cd2b41cbde8fc9c.php"}
Source: 0000000D.00000002.2473396131.0000000001C24000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://185.172.128.209/3cd2b41cbde8fc9c.php"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\01Zkr9Pqv75RBBPAfRuOcR8W.exe	ReversingLabs: Detection: 41%
Source: C:\Users\user\AppData\Local\01Zkr9Pqv75RBBPAfRuOcR8W.exe	Virustotal: Detection: 49%	Perma Link
Source: C:\Users\user\AppData\Local\0539f2UvFHQYMmDfLH9ZSkIn.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\0539f2UvFHQYMmDfLH9ZSkIn.exe	Virustotal: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Local\0WJXemd5pQKDpgfnQ3uQfzFV.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\0WJXemd5pQKDpgfnQ3uQfzFV.exe	Virustotal: Detection: 42%	Perma Link
Source: C:\Users\user\AppData\Local\0tJmsjsuq861nw8wVciecU0e.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\0tJmsjsuq861nw8wVciecU0e.exe	Virustotal: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Local\1xHPgdRbGIGh0nmHKOdvoVaq.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\1xHPgdRbGIGh0nmHKOdvoVaq.exe	Virustotal: Detection: 42%	Perma Link
Source: C:\Users\user\AppData\Local\24PXKARoj7uC8IIGZm6izG3D.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\24PXKARoj7uC8IIGZm6izG3D.exe	Virustotal: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Local\2Do1I89wRECQJCwpROH5lsmE.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\2Do1I89wRECQJCwpROH5lsmE.exe	Virustotal: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Local\5FQtA1wucts8Yrqmv9O6idz6.exe	ReversingLabs: Detection: 41%
Source: C:\Users\user\AppData\Local\5FQtA1wucts8Yrqmv9O6idz6.exe	Virustotal: Detection: 49%	Perma Link
Source: C:\Users\user\AppData\Local\649FP6erIG3uUfhR0wTmAGh3.exe	ReversingLabs: Detection: 41%
Source: C:\Users\user\AppData\Local\649FP6erIG3uUfhR0wTmAGh3.exe	Virustotal: Detection: 49%	Perma Link
Source: C:\Users\user\AppData\Local\6AsVyY9hcVg6BrRB3XAxmLRn.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\6AsVyY9hcVg6BrRB3XAxmLRn.exe	Virustotal: Detection: 42%	Perma Link
Source: C:\Users\user\AppData\Local\6ukblLKwIGzTeTLtRG3BVQ4x.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\6ukblLKwIGzTeTLtRG3BVQ4x.exe	Virustotal: Detection: 42%	Perma Link

Multi AV Scanner detection for submitted file

Source: 74fa486WVX.exe	ReversingLabs: Detection: 21%
Source: 74fa486WVX.exe	Virustotal: Detection: 26%			Perma Link

Machine Learning detection for sample

Source: 74fa486WVX.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: CtIvEWInDoW
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: AgEBOxw
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: ijklmnopqrs
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: /#%33@@@
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: abcdefghijklmnopqrs
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: @@@@<@@@
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: abcdefghijklmnopqrs
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: "&&""..""&&"">>""&&"".."ikSQWQSQ_QBEklmn^pqrBtuvFxyzL123H5679+/\|
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: %s\%V/yVs
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: %s\*.
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: }567y9n/S
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: ntTekeny
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: ging
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: PassMord0
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: J@@@`z`@J@@@J@@@
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: OPQRSTUVWXY
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: 456753+/---- '
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: '--- '
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: HeapFree
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: GetLocaleInfoA
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: nwpg
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: ntProcessId
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: wininet.dll
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: shlwapi.dll
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: shell32.dll
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: .dll
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: column_text
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: login:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_00409540 CryptUnprotectData,LocalAlloc,LocalFree,	13_2_00409540
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_00406C10 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	13_2_00406C10
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_004094A0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	13_2_004094A0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_004155A0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	13_2_004155A0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_0040BF90 memset,lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat,	13_2_0040BF90
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68326C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	13_2_68326C80
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6849A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	13_2_6849A9A0

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000000.00000002.2151703138.00000220285DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 74fa486WVX.exe PID: 6560, type: MEMORYSTR

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Unpacked PE file: 10.2.aD6tv7fY2lQHgM7IuiL9Hw1Z.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Unpacked PE file: 13.2.u5tg.0.exe.400000.0.unpack
Source: C:\Users\user\Pictures\LnpUuX1UZxpX7wm3ojkkhPdD.exe	Unpacked PE file: 18.2.LnpUuX1UZxpX7wm3ojkkhPdD.exe.400000.0.unpack
Source: C:\Users\user\Pictures\GnP27p1NAAqpGRO5fkWggl4G.exe	Unpacked PE file: 26.2.GnP27p1NAAqpGRO5fkWggl4G.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u5lo.0.exe	Unpacked PE file: 27.2.u5lo.0.exe.400000.0.unpack
Source: C:\Users\user\Pictures\aLJAULt319f3yelZ9yHcLLmp.exe	Unpacked PE file: 28.2.aLJAULt319f3yelZ9yHcLLmp.exe.400000.0.unpack
Source: C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe	Unpacked PE file: 29.2.x2VAVd7wCFKvEJ20FLblB74a.exe.400000.0.unpack
Source: C:\Users\user\Pictures\ucyz2FBrS2ZmSVbb1v4MylBp.exe	Unpacked PE file: 33.2.ucyz2FBrS2ZmSVbb1v4MylBp.exe.400000.0.unpack
Source: C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe	Unpacked PE file: 36.2.62yRKzzf4sPbuvaYnIB1MyY6.exe.400000.0.unpack
Source: C:\Users\user\Pictures\ZD1fmOCLpyrjNES6gIPEm8BD.exe	Unpacked PE file: 40.2.ZD1fmOCLpyrjNES6gIPEm8BD.exe.400000.0.unpack
Source: C:\Users\user\Pictures\RyhY8hIGZEZNYbghQkrpaTbg.exe	Unpacked PE file: 44.2.RyhY8hIGZEZNYbghQkrpaTbg.exe.400000.0.unpack

Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240420115425810.log
Source: C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240420115438068.log

Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: 74fa486WVX.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: u5tg.0.exe, 0000000D.00000002.2733626903.000000006838D000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: RC:\nedadovisiguc\bibufedepisoh\jegode\yapogiboj\hi.pdb source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842065324.0000000004861000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1844688555.0000000004FFD000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1846372753.0000000005044000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842247378.0000000004862000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1847791034.0000000005364000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1844688555.0000000004FD3000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845850142.0000000005044000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wextract.pdb source: jsc.exe, 00000005.00000002.2652166085.000000000338A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003ABB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003383000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003362000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: u5tg.0.exe, 0000000D.00000002.2735000647.000000006856F000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: E:\HD_Audio\VS2005\Resetup\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdbP@n@ `@_CorExeMainmscoree.dll source: RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140238000.00000040.00000001.01000000.00000010.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140238000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\yicukewiceyal\ge.pdb source: aD6tv7fY2lQHgM7IuiL9Hw1Z.exe, 0000000A.00000003.1744695734.0000000003741000.00000004.00000020.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000000.1743563423.000000000041B000.00000002.00000001.01000000.00000009.sdmp, eXNDeRDst4kQrDZC4an0uq9f.exe, 00000011.00000003.1874006266.0000000003801000.00000004.00000020.00020000.00000000.sdmp, LnpUuX1UZxpX7wm3ojkkhPdD.exe, 00000012.00000003.1886502011.0000000003771000.00000004.00000020.00020000.00000000.sdmp, GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.1932534592.00000000037C1000.00000004.00000020.00020000.00000000.sdmp, u5lo.0.exe, 0000001B.00000000.1862492427.000000000041B000.00000002.00000001.01000000.00000013.sdmp, aLJAULt319f3yelZ9yHcLLmp.exe, 0000001C.00000003.1964468154.0000000003781000.00000004.00000020.00020000.00000000.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000003.1957327331.0000000003831000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\HD_Audio\VS2005\Resetup\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb source: RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140238000.00000040.00000001.01000000.00000010.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140238000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1843997507.00000000050C3000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1841694299.0000000004FFD000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842489395.0000000005051000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1841790509.00000000048AE000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842382816.0000000005051000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\yixeki-ciguwan38_buyej\jobo.pdb source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845157813.0000000004F61000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1838884651.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1838884651.0000000004888000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1840311650.00000000048E8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140447000.00000040.00000001.01000000.00000010.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140447000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\nedadovisiguc\bibufedepisoh\jegode\yapogiboj\hi.pdb source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842065324.0000000004861000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1844688555.0000000004FFD000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1846372753.0000000005044000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842247378.0000000004862000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1847791034.0000000005364000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1844688555.0000000004FD3000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845850142.0000000005044000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: u5tg.0.exe, 0000000D.00000002.2733626903.000000006838D000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: C:\javagevo77\xonete\zedikacap-kumefuhan_yevezocusir\nisev.pdb source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1884648951.0000000004F61000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1878460153.0000000004862000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wextract.pdbH source: jsc.exe, 00000005.00000002.2652166085.000000000338A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003ABB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003383000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003362000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\x64\Release\XBundlerTlsHelper.pdb source: RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140265000.00000040.00000001.01000000.00000010.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140265000.00000040.00000001.01000000.00000011.sdmp, l6tkmwjdUErRj2XjAOLUSPtS.exe, 0000001E.00000002.2152673578.0000000140265000.00000040.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\TestProject\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb source: RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140243000.00000040.00000001.01000000.00000010.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140243000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\TestProject\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb,ANA @A_CorExeMainmscoree.dll source: RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140243000.00000040.00000001.01000000.00000010.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140243000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: DC:\yicukewiceyal\ge.pdb source: aD6tv7fY2lQHgM7IuiL9Hw1Z.exe, 0000000A.00000003.1744695734.0000000003741000.00000004.00000020.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000000.1743563423.000000000041B000.00000002.00000001.01000000.00000009.sdmp, eXNDeRDst4kQrDZC4an0uq9f.exe, 00000011.00000003.1874006266.0000000003801000.00000004.00000020.00020000.00000000.sdmp, LnpUuX1UZxpX7wm3ojkkhPdD.exe, 00000012.00000003.1886502011.0000000003771000.00000004.00000020.00020000.00000000.sdmp, GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.1932534592.00000000037C1000.00000004.00000020.00020000.00000000.sdmp, u5lo.0.exe, 0000001B.00000000.1862492427.000000000041B000.00000002.00000001.01000000.00000013.sdmp, aLJAULt319f3yelZ9yHcLLmp.exe, 0000001C.00000003.1964468154.0000000003781000.00000004.00000020.00020000.00000000.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000003.1957327331.0000000003831000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140447000.00000040.00000001.01000000.00000010.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140447000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: LNC:\noyofalivam\xeguhukur.pdb source: jsc.exe, 00000005.00000002.2967048972.0000000004619000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2967048972.0000000004319000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000034DA000.00000004.00000800.00020000.00000000.sdmp, aD6tv7fY2lQHgM7IuiL9Hw1Z.exe, 0000000A.00000002.2365446136.0000000001AB8000.00000004.00000020.00020000.00000000.sdmp, aD6tv7fY2lQHgM7IuiL9Hw1Z.exe, 0000000A.00000000.1700515452.000000000041B000.00000002.00000001.01000000.00000007.sdmp, eXNDeRDst4kQrDZC4an0uq9f.exe, 00000011.00000000.1779339552.000000000041B000.00000002.00000001.01000000.0000000C.sdmp, LnpUuX1UZxpX7wm3ojkkhPdD.exe, 00000012.00000002.2528541137.0000000001D48000.00000004.00000020.00020000.00000000.sdmp, LnpUuX1UZxpX7wm3ojkkhPdD.exe, 00000012.00000000.1825118600.000000000041B000.00000002.00000001.01000000.0000000D.sdmp, GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000000.1855770656.000000000041B000.00000002.00000001.01000000.00000012.sdmp, GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000002.2525303834.0000000001B88000.00000004.00000020.00020000.00000000.sdmp, aLJAULt319f3yelZ9yHcLLmp.exe, 0000001C.00000002.2381563199.0000000001B68000.00000004.00000020.00020000.00000000.sdmp, aLJAULt319f3yelZ9yHcLLmp.exe, 0000001C.00000000.1862402151.000000000041B000.00000002.00000001.01000000.00000014.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000000.1866064043.000000000041B000.00000002.00000001.01000000.00000015.sdmp, RyhY8hIGZEZNYbghQkrpaTbg.exe, 0000002C.00000000.1954578069.000000000041B000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: C:\noyofalivam\xeguhukur.pdb source: jsc.exe, 00000005.00000002.2967048972.0000000004619000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2967048972.0000000004319000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000034DA000.00000004.00000800.00020000.00000000.sdmp, aD6tv7fY2lQHgM7IuiL9Hw1Z.exe, 0000000A.00000002.2365446136.0000000001AB8000.00000004.00000020.00020000.00000000.sdmp, aD6tv7fY2lQHgM7IuiL9Hw1Z.exe, 0000000A.00000000.1700515452.000000000041B000.00000002.00000001.01000000.00000007.sdmp, eXNDeRDst4kQrDZC4an0uq9f.exe, 00000011.00000000.1779339552.000000000041B000.00000002.00000001.01000000.0000000C.sdmp, LnpUuX1UZxpX7wm3ojkkhPdD.exe, 00000012.00000002.2528541137.0000000001D48000.00000004.00000020.00020000.00000000.sdmp, LnpUuX1UZxpX7wm3ojkkhPdD.exe, 00000012.00000000.1825118600.000000000041B000.00000002.00000001.01000000.0000000D.sdmp, GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000000.1855770656.000000000041B000.00000002.00000001.01000000.00000012.sdmp, GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000002.2525303834.0000000001B88000.00000004.00000020.00020000.00000000.sdmp, aLJAULt319f3yelZ9yHcLLmp.exe, 0000001C.00000002.2381563199.0000000001B68000.00000004.00000020.00020000.00000000.sdmp, aLJAULt319f3yelZ9yHcLLmp.exe, 0000001C.00000000.1862402151.000000000041B000.00000002.00000001.01000000.00000014.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000000.1866064043.000000000041B000.00000002.00000001.01000000.00000015.sdmp, RyhY8hIGZEZNYbghQkrpaTbg.exe, 0000002C.00000000.1954578069.000000000041B000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: 8>C:\javagevo77\xonete\zedikacap-kumefuhan_yevezocusir\nisev.pdb source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1884648951.0000000004F61000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1878460153.0000000004862000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: GC:\bivonare pif.pdb source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1869958857.0000000006711000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1858482387.0000000004F61000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1859853643.000000000516F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1862956028.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1864705767.0000000005361000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1860935215.0000000005365000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1855540860.0000000004831000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1865504661.00000000063A7000.00000004.00000020.00020000.00000000.sdmp, 0Q5dKppSpEUoGQyfKKa0z3T3.exe, 00000015.00000000.1826680480.000000000041B000.00000002.00000001.01000000.0000000E.sdmp, BqrcKabb3rjHWiGgZhhaSqKx.exe, 00000016.00000000.1826692672.000000000041B000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: nss3.pdb source: u5tg.0.exe, 0000000D.00000002.2735000647.000000006856F000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: C:\bivonare pif.pdb source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1869958857.0000000006711000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1858482387.0000000004F61000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1859853643.000000000516F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1862956028.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1864705767.0000000005361000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1860935215.0000000005365000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1855540860.0000000004831000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1865504661.00000000063A7000.00000004.00000020.00020000.00000000.sdmp, 0Q5dKppSpEUoGQyfKKa0z3T3.exe, 00000015.00000000.1826680480.000000000041B000.00000002.00000001.01000000.0000000E.sdmp, BqrcKabb3rjHWiGgZhhaSqKx.exe, 00000016.00000000.1826692672.000000000041B000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: ".pdb source: RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140447000.00000040.00000001.01000000.00000010.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140447000.00000040.00000001.01000000.00000011.sdmp

Change of critical system settings

Adds extensions / path to Windows Defender exclusion list (Registry)

Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{8F29E178-9661-4084-8511-EE37C01FCDBF}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Exclusions_Extensions
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{8F29E178-9661-4084-8511-EE37C01FCDBF}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions exe

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	13_2_00412570
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	13_2_0040D1C0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	13_2_004015C0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	13_2_00411650
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	13_2_0040B610
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	13_2_0040DB60
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	13_2_00411B80
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	13_2_0040D540
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	13_2_004121F0

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.172.128.209/3cd2b41cbde8fc9c.php
Source: Malware configuration extractor	URLs: http://185.172.128.209/3cd2b41cbde8fc9c.php

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: Bc4dcTAjyvtQ9T6PrR3f0uzO.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: ccoBo0rRmpQ5gEQf8uOm2hw8.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: qsGNy3xtDdMUFTSJA4Mrz3vJ.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: RDFohlfw679Ux25vFH74CiK2.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: y2WdWAdLkOUkh2B9NXcEScw2.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: Hbu62iH0oWTYkueDhqQNBMlJ.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: 7U3Rk7aLVDVnrRHtzFxyD2hj.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: 9qKzKIb4zlixUBIMbsAdr6e5.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: tbXSlgaofvAqF1YwBO3ogwLi.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: m6bKjeL6PzYGlRvC2JJBhIJB.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: BPE5NTxxXzTf7UomGVXunUNo.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: x84B5Aew9VrQaMhCPbGNjsy6.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: eKWJxN788Wcm8PbTcMNGvZ0a.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: 6GMAOzzQrs8n3hhYfIpfQSoV.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: kO6RzgL2zO69SBqlEfR6fOiU.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: FfzaqqmVqlNLTGLFn2QdOrmt.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: qu8dqUeHGOw6VkEVxnsN47hK.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: ZAHLmF3nVdCimYamVmIRpMtj.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: vyB4B6GBi30MLwbPL3cXdgXM.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: SNT7mY94u8xH6lHN9QDCsX3l.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: NXsvPjvPPQV2IIAvucdjzO0T.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: cSQCidG8hZ2BZBivls30Cd6j.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: cW6Iba0lh72vV9KHkBEgeBxU.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: DUeoFDUvNcsc60JsKOos974H.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: Ycz2IIZFaXyUlRhWXFPYKsPT.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: 4bb72Ogtgd8zfrUvuX4RiGta.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: HqLCSqdxI0ymxN2GkUs5k2xF.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: 3l5DQQ6yrAd7jQOt8UC94MYm.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: j1gNRGWbe2W31aYhk7aVo0ee.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: 5zadD0mViiouBMeDIkBFC8NA.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: kMQkrJQ6lagfJOGvz7gfOLVM.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: 6eY7wD7sWCGLclaDApqh69x1.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: RvNk31032JOWTSBcfv4xhrgk.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: JCuibEyjPnckBLTtUeFDd4IA.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: gqjMUiDTMpBEgZYftYEz41nU.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: AG5K4zrQRmDjLsNdvUGBgf9J.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: BI3eJTQfHvZZoPFkXHBXdS87.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: I93qDzkNBbZCwuwOhsxuYvb2.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: Uw0veNjXiB4MDIr6Lq20Ymy7.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: dg0QbdwoDPb4ZW47K3WbTMRh.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: GGnhXLyclFeA8V6yzQbtTsT8.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: enN9uqOYwpoldszgv9531SIP.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: sskwGsuesJwUbp0gb5wOey0k.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: qR5U2QvPjesrEhw5iPZ1p4Pz.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: 6UZzWax6GG1SbfyYXj7IWO5r.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: 2LpGwjYMLdyfWXLxfsx56mJC.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: 9oFSK8dPCnaeAIq0w8hbPC8o.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: xRG283GfGjjwKjta5BEJHem9.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: w63kjcJTpHd5DkDn8MLzMbMr.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: Q7x3pFx53MFdbVPm71oOscoY.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: TjAW5yNM3qrTuUevYSMyx0O5.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: 32mv11NyrxtkxZGtF5J8XLjt.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: SnFBAa34lZI5aFFjj2MyBANi.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: pVm6YNoRZgHRJxXKE9eRi1jk.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: B46OcL5siA7EIXTXwfJett0x.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: JKJmEJtUChhawqFUlVO7iqEG.exe.5.dr
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: 0VDgJ3_yDezlSifw_UMGpT2Z.exe.12.dr
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: 9WX0wj3m1yKHqBrGQgS0ATep.exe.12.dr

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.74fa486WVX.exe.22028643f98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.74fa486WVX.exe.220286469d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.jsc.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe

Code function: 10_2_00426504 __EH_prolog,WSAStartup,socket,WSACleanup,gethostbyname,htons,connect,send,send,recv,recv,recv,recv,recv,WSACleanup,closesocket,

10_2_00426504

Source: u5tg.0.exe, 0000000D.00000002.2470929452.0000000001BFE000.00000004.00000020.00020000.00000000.sdmp, u5lo.0.exe, 0000001B.00000002.2691208486.0000000001D7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C24000.00000004.00000020.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C73000.00000004.00000020.00020000.00000000.sdmp, u5lo.0.exe, 0000001B.00000002.2700544037.0000000001DD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/freebl3.dll
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/mozglue.dll
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/mozglue.dll(
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/msvcp140.dll
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/nss3.dll
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/nss3.dll0
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/softokn3.dll
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/softokn3.dllb
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/sqlite3.dll
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/sqlite3.dlln
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/vcruntime140.dll
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/vcruntime140.dll6G
Source: u5lo.0.exe, 0000001B.00000002.2700544037.0000000001DA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php
Source: u5lo.0.exe, 0000001B.00000002.2700544037.0000000001DA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php%
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php-
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php/
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000549000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php0dfb6d6d8c508673859a401be5a4n
Source: u5lo.0.exe, 0000001B.00000002.2700544037.0000000001DA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php1
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php9
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php:h
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phpA
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phpG
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phpP
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phpR
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C24000.00000004.00000020.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phpS
Source: u5lo.0.exe, 0000001B.00000002.2700544037.0000000001DD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phpp
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phprowser
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/am
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/es
Source: jsc.exe, 00000005.00000002.2652166085.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003383000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000392A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000377D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000376D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000378D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003667000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033AE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A31000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.59/ISetup5.exe
Source: jsc.exe, 00000005.00000002.2652166085.00000000033A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.59/ISetup5.exe3
Source: jsc.exe, 00000005.00000002.2652166085.000000000393B000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000347A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003576000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036B5000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000035E0000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003408000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000378D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.59/ISetup5.exe4k
Source: jsc.exe, 00000005.00000002.2652166085.00000000033C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.59/ISetup5.exeI
Source: jsc.exe, 00000005.00000002.2652166085.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.59/ISetup5.exeLR
Source: jsc.exe, 00000005.00000002.2652166085.00000000033AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.59/ISetup5.exeU
Source: jsc.exe, 00000005.00000002.2652166085.00000000037C3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003943000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.18
Source: jsc.exe, 00000005.00000002.2652166085.0000000003408000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.18Fa
Source: jsc.exe, 00000005.00000002.2652166085.0000000003A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.18x=
Source: jsc.exe, 00000005.00000002.2652166085.00000000037E5000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003983000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A70000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000398B000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003520000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000379F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003AA0000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003510000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003981000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A72000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A66000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003985000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1857680458.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1858930023.000000000484F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/dacha/rules.exe
Source: jsc.exe, 00000005.00000002.2652166085.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003520000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.175
Source: jsc.exe, 00000005.00000002.2652166085.0000000003362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.175/server/ww12/AppGate2103v01.exe
Source: jsc.exe, 00000005.00000002.2652166085.00000000033A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.175/server/ww12/AppGate2103v01.exe/
Source: jsc.exe, 00000005.00000002.2652166085.0000000003383000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.175/server/ww12/AppGate2103v01.exe0
Source: jsc.exe, 00000005.00000002.2652166085.000000000393B000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003576000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000035E0000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003408000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000378D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.175/server/ww12/AppGate2103v01.exe4k
Source: jsc.exe, 00000005.00000002.2652166085.00000000033C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.175/server/ww12/AppGate2103v01.exeE
Source: jsc.exe, 00000005.00000002.2652166085.000000000334D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037E5000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003816000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000399A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234
Source: jsc.exe, 00000005.00000002.2652166085.00000000033AA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003344000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000393B000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A1F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003576000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003425000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033C6000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003404000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003911000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036B5000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000392A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000377D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000376D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000378D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033DA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003667000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/InstallCharityEngine_7.14.2_S16-01.exe
Source: jsc.exe, 00000005.00000002.2652166085.000000000334D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000393B000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003576000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003383000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000378D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/InstallCharityEngine_7.14.2_S16-01.exe4k
Source: jsc.exe, 00000005.00000002.2652166085.00000000033AA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003344000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000393B000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A1F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003576000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003425000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033C6000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003404000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003911000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036B5000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000392A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000377D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000376D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000378D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033DA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003667000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/setup.exe
Source: jsc.exe, 00000005.00000002.2652166085.000000000393B000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003576000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000378D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/setup.exe4k
Source: jsc.exe, 00000005.00000002.2652166085.000000000334D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/setup.exeW
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1904036476.0000000002BE9000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1830855097.0000000002BE7000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1862487301.0000000002BE7000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1841023351.0000000002BE7000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845937117.0000000002BE7000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1898547764.0000000002BE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/getimage12.php
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1904036476.0000000002BE9000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1830855097.0000000002BE7000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1862487301.0000000002BE7000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1841023351.0000000002BE7000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845937117.0000000002BE7000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1898547764.0000000002BE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/getimage12.phpe
Source: jsc.exe, 00000005.00000002.2652166085.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000338A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000003.2057532612.00000000053D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: jsc.exe, 00000005.00000002.2652166085.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000338A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000003.2057532612.00000000053D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: jsc.exe, 00000005.00000002.2652166085.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000338A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000003.2057532612.00000000053D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: jsc.exe, 00000005.00000002.2652166085.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000338A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000003.2057532612.00000000053D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: jsc.exe, 00000005.00000002.2652166085.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000338A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000003.2057532612.00000000053D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000003.2057532612.00000000053D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: jsc.exe, 00000005.00000002.2652166085.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000338A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000003.2057532612.00000000053D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000003.2057532612.00000000053D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000003.2057532612.00000000053D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004419000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.iolo.net
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004419000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com
Source: jsc.exe, 00000005.00000002.2652166085.00000000037E5000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A72000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000034CE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003985000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://iplogger.com
Source: jsc.exe, 00000005.00000002.2652166085.0000000003729000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jonathantwo.com
Source: jsc.exe, 00000005.00000002.2652166085.0000000003729000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jonathantwo.comH
Source: jsc.exe, 00000005.00000002.2652166085.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003991000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003816000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://lati.lb.opera.technology
Source: jsc.exe, 00000005.00000002.2652166085.0000000003991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://net.geo.opera
Source: jsc.exe, 00000005.00000002.2652166085.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003991000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003408000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003816000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://net.geo.opera.com
Source: jsc.exe, 00000005.00000002.2652166085.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767_
Source: jsc.exe, 00000005.00000002.2652166085.0000000003362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767__456
Source: jsc.exe, 00000005.00000002.2652166085.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000338A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000003.2057532612.00000000053D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: jsc.exe, 00000005.00000002.2652166085.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000338A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000003.2057532612.00000000053D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: jsc.exe, 00000005.00000002.2652166085.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000338A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000003.2057532612.00000000053D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: jsc.exe, 00000005.00000002.2652166085.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000338A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000003.2057532612.00000000053D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: jsc.exe, 00000005.00000002.2652166085.0000000003883000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A07000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.com
Source: jsc.exe, 00000005.00000002.2652166085.0000000003991000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003ABB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A78000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003AA6000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000398B000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003AEE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003816000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://realdeepai.org
Source: LnpUuX1UZxpX7wm3ojkkhPdD.exe, 00000012.00000003.1983329590.0000000004568000.00000004.00000020.00020000.00000000.sdmp, GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.1975964072.0000000004434000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: LnpUuX1UZxpX7wm3ojkkhPdD.exe, 00000012.00000003.1983329590.0000000004568000.00000004.00000020.00020000.00000000.sdmp, GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.1975964072.0000000004434000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004419000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/DownloadManager.ashx
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1858930023.000000000484F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wikkt.com/
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1885320463.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1879422507.00000000047C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wikkt.com/forum/index.php
Source: LnpUuX1UZxpX7wm3ojkkhPdD.exe, 00000012.00000003.1983329590.0000000004568000.00000004.00000020.00020000.00000000.sdmp, GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.1975964072.0000000004434000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.2brightsparks.com/onclick/help/
Source: LnpUuX1UZxpX7wm3ojkkhPdD.exe, 00000012.00000003.1983329590.0000000004568000.00000004.00000020.00020000.00000000.sdmp, GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.1975964072.0000000004434000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/Types
Source: jsc.exe, 00000005.00000002.2652166085.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000338A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000003.2057532612.00000000053D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004419000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845426366.0000000004835000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845157813.000000000501E000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845524803.0000000004813000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1846372753.000000000501F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.innosetup.com
Source: u5tg.0.exe, u5tg.0.exe, 0000000D.00000002.2733626903.000000006838D000.00000002.00000001.01000000.00000027.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: jsc.exe, 00000005.00000002.2652166085.0000000003B14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.opera.com0
Source: u5tg.0.exe, 0000000D.00000002.2577329483.000000001C02E000.00000004.00000020.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2717481035.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1750675756.0000000001F90000.00000004.00001000.00020000.00000000.sdmp, RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140001000.00000040.00000001.01000000.00000010.sdmp, RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000003.1878955386.0000000002310000.00000004.00001000.00020000.00000000.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140001000.00000040.00000001.01000000.00000011.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000003.1881772591.0000000000400000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: jsc.exe, 00000005.00000002.2652166085.0000000003883000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A07000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://yip.su
Source: u5tg.0.exe, 0000000D.00000003.1845625883.0000000001CC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1885320463.0000000002C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com/
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1849130242.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1843245371.0000000002C20000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1879784892.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1843541654.0000000002C20000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1841023351.0000000002C25000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1898547764.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1904290505.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1851674958.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1857791861.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1885320463.0000000002C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baldurgatez.com/7725eaa6592c80f8124e769b4e8a07f7.exef
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1849130242.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1843245371.0000000002C20000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1879784892.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1843541654.0000000002C20000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1841023351.0000000002C25000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1898547764.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1904290505.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1851674958.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1857791861.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1885320463.0000000002C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baldurgatez.com/7725eaa6592c80f8124e769b4e8a07f7.exexe
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1830855097.0000000002C25000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1832742969.0000000002C25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baldurgatez.com:80/7725eaa6592c80f8124e769b4e8a07f7.exe
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1897719580.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1841928255.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842704242.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1846731580.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1857680458.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1858930023.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845426366.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1878893276.000000000484F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1841928255.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842704242.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845426366.000000000484F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/.
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1879422507.00000000047F2000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842489395.000000000516E000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1879422507.00000000047DE000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1846798256.00000000047E1000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842894582.00000000047E1000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1848924916.00000000047E1000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1846798256.00000000047C8000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1848924916.00000000047C8000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1851296089.00000000047C5000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1862351915.000000000480A000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1846992026.0000000004824000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1899256171.00000000047C5000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1847485407.000000000480A000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845602194.00000000047E1000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1844257395.00000000047C8000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1898388745.000000000480A000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1844257395.00000000047E1000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1856492137.00000000047DE000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842894582.00000000047C8000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842894582.00000000047BD000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1898388745.0000000004822000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/8b0be658-c958-47a3-96e4-fc8e5fe7c5dc/downloads/dc50f97b-477f-
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845937117.0000000002BDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/superworkspacenb/gerge/downloads/grabber.exe
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842894582.00000000047DE000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1879422507.00000000047DE000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1851296089.00000000047DE000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1856492137.00000000047DE000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845602194.00000000047DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/superworkspacenb/gerge/downloads/grabber.exea6592c80f8124e769b4e8a07f7.exe
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1879422507.00000000047D9000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1878893276.000000000484F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://c.574859385.xyz/525403/setup.exe
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1897719580.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1878893276.000000000484F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://c.574859385.xyz/525403/setup.exeF
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1897719580.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1878893276.000000000484F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://c.574859385.xyz/525403/setup.exeH
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1841023351.0000000002C25000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842797313.0000000004821000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1862487301.0000000002BE7000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842894582.00000000047E1000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845937117.0000000002BE7000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1844257395.00000000047E1000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1898547764.0000000002BE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://carthewasher.net/0459bbcc9007d32f68bcaa0a07733f6e/cad54ba5b01423b1af8ec10ab5719d97.exe
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1885320463.0000000002C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cookielaw.org/
Source: u5tg.0.exe, 0000000D.00000003.1845625883.0000000001CC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: jsc.exe, 00000005.00000002.2652166085.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037C3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000394F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A46000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003971000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.iplogger.org/favicon.ico
Source: jsc.exe, 00000005.00000002.2652166085.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037C3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000394F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A46000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003971000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.iplogger.org/redirect/brand.png
Source: jsc.exe, 00000005.00000002.2652166085.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037C3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000394F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A46000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003971000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.iplogger.org/redirect/logo-dark.png);background-position:center;background-repeat:no-rep
Source: u5tg.0.exe, 0000000D.00000003.1845625883.0000000001CC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: u5tg.0.exe, 0000000D.00000003.1845625883.0000000001CC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: jsc.exe, 00000005.00000002.2652166085.00000000037B3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036CD000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033BA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033F7000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037C3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000394F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003961000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A46000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A56000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033CD000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000339F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003971000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A66000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003421000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://counter.yadro.ru/hit?
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1885320463.0000000002C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d136azpfpnge1l.cloudfront.net/;
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1885320463.0000000002C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.net/
Source: u5tg.0.exe, 0000000D.00000003.1845625883.0000000001CC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: u5tg.0.exe, 0000000D.00000003.1845625883.0000000001CC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: u5tg.0.exe, 0000000D.00000003.1845625883.0000000001CC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: jsc.exe, 00000005.00000002.2967048972.0000000004619000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gamemaker.io
Source: jsc.exe, 00000005.00000002.2967048972.0000000004619000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gamemaker.io)
Source: jsc.exe, 00000005.00000002.2967048972.0000000004619000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gamemaker.io/en/education.
Source: jsc.exe, 00000005.00000002.2967048972.0000000004619000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gamemaker.io/en/get.
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842894582.00000000047D2000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1848924916.00000000047DB000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1840587375.00000000047DE000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1840587375.00000000047EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gigachadfanclub.org/0459bbcc9007d32f68bcaa0a07733f6e/7725eaa6592c80f8124e769b4e8a07f7.exe
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1763892395.000000000068B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1763892395.000000000068B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/D
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1750675756.0000000001F90000.00000004.00001000.00020000.00000000.sdmp, RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140001000.00000040.00000001.01000000.00000010.sdmp, RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000003.1878955386.0000000002310000.00000004.00001000.00020000.00000000.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140001000.00000040.00000001.01000000.00000011.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000003.1881772591.0000000000400000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/namehttps://ipgeolocation.io/status
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1763892395.00000000006CF000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1763892395.000000000068B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1763892395.000000000068B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.57.52
Source: jsc.exe, 00000005.00000002.2652166085.00000000034C8000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000355F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com
Source: jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com/1lyxz
Source: jsc.exe, 00000005.00000002.2652166085.00000000033AA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003344000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000393B000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A1F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003576000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003425000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033C6000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003404000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003911000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036B5000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000392A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000377D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000376D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000378D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033DA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003667000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com/2lVrD2
Source: jsc.exe, 00000005.00000002.2652166085.000000000393B000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003576000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000378D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com/2lVrD24k
Source: jsc.exe, 00000005.00000002.2652166085.00000000037B3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036CD000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033BA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033F7000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037C3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000394F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003961000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A46000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A56000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033CD000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000339F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003971000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A66000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003421000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/
Source: jsc.exe, 00000005.00000002.2652166085.00000000037B3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003378000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036CD000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033BA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033F7000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037C3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000394F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003961000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A46000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A56000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033CD000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000339F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003971000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A66000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003421000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/privacy/
Source: jsc.exe, 00000005.00000002.2652166085.00000000037B3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003378000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036CD000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033BA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033F7000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037C3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000394F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003961000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A46000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A56000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033CD000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000339F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003971000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A66000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003421000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/rules/
Source: jsc.exe, 00000005.00000002.2652166085.0000000003729000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jonathantwo.com
Source: jsc.exe, 00000005.00000002.2652166085.0000000003378000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003576000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000353E000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003570000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003383000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003816000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003729000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jonathantwo.com/0459bbcc9007d32f68bcaa0a07733f6e/6779d89b7a368f4f3f340b50a9d18d71.exe
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1840477814.0000000004844000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1897719580.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1841928255.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842704242.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1846731580.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1857680458.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1858930023.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845426366.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1878893276.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1840387590.0000000004813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://meet.crazyfigs.top/style/060.exe
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1857680458.000000000484F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://meet.crazyfigs.top/style/060.exe:
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1857680458.000000000484F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://meet.crazyfigs.top/style/060.exeU
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1840477814.0000000004844000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1897719580.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1841928255.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842704242.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1846731580.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1857680458.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1858930023.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845426366.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1878893276.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1840387590.0000000004813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://meet.crazyfigs.top/style/060.exeZ
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1897719580.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1857680458.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1858930023.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1879422507.00000000047D1000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1878893276.000000000484F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exe
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1897719580.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1878893276.000000000484F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exe$
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1897719580.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1857680458.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1858930023.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1878893276.000000000484F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exeJ
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1857680458.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1858930023.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1878893276.000000000484F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exeP
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1857680458.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1858930023.000000000484F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exe_
Source: jsc.exe, 00000005.00000002.2652166085.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003816000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://net.geo.opera.com
Source: jsc.exe, 00000005.00000002.2652166085.0000000003576000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033C6000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000035E0000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003816000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003564000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767__456
Source: jsc.exe, 00000005.00000002.2652166085.0000000003677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com
Source: jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/E0rY26ni
Source: jsc.exe, 00000005.00000002.2652166085.000000000334D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003576000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org
Source: jsc.exe, 00000005.00000002.2652166085.0000000003383000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000392A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000377D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000376D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000378D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033DA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003667000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033AE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A31000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exe
Source: jsc.exe, 00000005.00000002.2652166085.00000000033C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exe-
Source: jsc.exe, 00000005.00000002.2652166085.00000000033DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000393B000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003576000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003408000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000378D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exe4k
Source: jsc.exe, 00000005.00000002.2652166085.00000000033A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exe6
Source: jsc.exe, 00000005.00000002.2652166085.000000000338A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exeG
Source: jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exeT
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1885320463.0000000002C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1885320463.0000000002C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: jsc.exe, 00000005.00000002.2652166085.000000000334D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003576000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A78000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000035E0000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000398B000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000379F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003816000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000399A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A72000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003985000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://skategirls.org
Source: jsc.exe, 00000005.00000002.2652166085.00000000033AA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003344000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000393B000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A1F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003576000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003425000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033C6000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003404000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003911000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036B5000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000392A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000377D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000376D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000378D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033DA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003667000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://skategirls.org/baf14778c246e15550645e30ba78ce1c.exe
Source: jsc.exe, 00000005.00000002.2652166085.000000000393B000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000034C8000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000378D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://skategirls.org/baf14778c246e15550645e30ba78ce1c.exe4k
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1902074741.00000000047D6000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1900309198.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1903942245.0000000004822000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1902074741.00000000047EC000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1899256171.00000000047D6000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1902074741.00000000047E4000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1898388745.000000000480A000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1898388745.0000000004822000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1899256171.00000000047EC000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1904290505.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sun6-21.userapi.com/c909328/u5294803/docs/d12/fe00982d9cfb/crypted.bmp?extra=9gA9Mrstf6eDcBt
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1900309198.0000000002C49000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1904036476.0000000002BE9000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1898547764.0000000002BE7000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1899256171.00000000047D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sun6-22.userapi.com/c909518/u5294803/docs/d23/f3f574557e5d/crypted.bmp?extra=OZKsfqLr82JxeKr
Source: u5tg.0.exe, 0000000D.00000003.2149833618.000000002830B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: u5tg.0.exe, 0000000D.00000003.2149833618.000000002830B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: u5tg.0.exe, 0000000D.00000003.1837125505.00000000220ED000.00000004.00000020.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe
Source: u5tg.0.exe, 0000000D.00000003.1837125505.00000000220ED000.00000004.00000020.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1885320463.0000000002C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net/cad54ba5b01423b1af8ec10ab5719d97.exe
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1830855097.0000000002C25000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1832742969.0000000002C25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net:80/cad54ba5b01423b1af8ec10ab5719d97.exe
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1899256171.00000000047D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/browser_reports?dest=default_reports
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1898547764.0000000002C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc329118071_676580549?hash=pFVdCz3lOS502jpZ4S1mZuaA9EuN2MatBz9F2cxg7Ac&dl=ej7ecTKnt3
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1899256171.00000000047C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_668652542?hash=KlAQZ4zXtzzV5eLSZ1KaXKdCOpfsWxOfH5GyV92XrPL&dl=yPhjzrub8w5M
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1898547764.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1899256171.00000000047C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_668769608?hash=EJK4IigrO9hmPOkFxXqpLliN8ksP1vifJqKZbhFKHvw&dl=HyyWNdLGIElg
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1898547764.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1899256171.00000000047DF000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1899256171.00000000047C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_668771194?hash=7dzZFNgNMhFnf8UKhZ88SSJWzznhZJIEKWOI1nQNlbw&dl=jwd31UuZgmzf
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1899256171.00000000047C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_668776833?hash=0O6PF91bZH66jRdVdr0Yhs0vV73FDPMFrSckqwaaZuH&dl=PH90vp0b08Gc
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1904290505.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/doc329118071_676580549?hash=pFVdCz3lOS502jpZ4S1mZuaA9EuN2MatBz9F2cxg7Ac&dl=ej7ecTK
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1857791861.0000000002C51000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1843245371.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1900309198.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1851674958.0000000002C51000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1830797940.0000000002C52000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1885320463.0000000002C51000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1879784892.0000000002C50000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1849130242.0000000002C51000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1841023351.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1904290505.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/doc5294803_668771194?hash=7dzZFNgNMhFnf8UKhZ88SSJWzznhZJIEKWOI1nQNlbw&dl=jwd31UuZg
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1885320463.0000000002C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: u5tg.0.exe, 0000000D.00000003.1845625883.0000000001CC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: u5tg.0.exe, 0000000D.00000003.1845625883.0000000001CC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp, u5tg.0.exe, 0000000D.00000002.2456883549.0000000000549000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: u5tg.0.exe, 0000000D.00000003.2149833618.000000002830B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp, u5tg.0.exe, 0000000D.00000002.2456883549.0000000000549000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/VxHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0
Source: u5tg.0.exe, 0000000D.00000003.2149833618.000000002830B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp, u5tg.0.exe, 0000000D.00000002.2456883549.0000000000549000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: u5tg.0.exe, 0000000D.00000003.2149833618.000000002830B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp, u5tg.0.exe, 0000000D.00000002.2456883549.0000000000549000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp, u5tg.0.exe, 0000000D.00000002.2456883549.0000000000549000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: u5tg.0.exe, 0000000D.00000003.2149833618.000000002830B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
Source: jsc.exe, 00000005.00000002.2652166085.0000000003677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yip.su
Source: jsc.exe, 00000005.00000002.2652166085.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037C3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000394F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A46000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003971000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yip.su/RNWPd
Source: jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yip.su/RNWPd.exe
Source: 74fa486WVX.exe, 00000000.00000002.2151703138.0000022028635000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2485783994.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://yip.su/RNWPd.exeChttps://pastebin.com/raw/E0rY26ni5https://iplogger.com/1lyxz
Source: jsc.exe, 00000005.00000002.2652166085.00000000037B3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003378000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036CD000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033BA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033F7000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037C3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000394F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003961000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A46000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A56000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033CD000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000339F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003971000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A66000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003421000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yip.su/redirect-

Drops certificate files (DER)

Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Writes many files with high entropy

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\sbZAAkQuPWrpuYdmYbORf9Y6.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\4vR64vyt2Ms3IgZi0ogjOLiV.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\JHCkwUJwo6Iltf50o60nZ8hx.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\3HGHvoGBRy8IwCH7TQ5oNDqr.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\RzZ1TAV7aob3SPZILB2zbFdV.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\OJ7vhB3j6tgF31VZAdyq4RWP.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\rtlA3jJ7xsOUFL3iCVOy5VBX.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\r55PiUKSNGOgvzmsIZLcQBwY.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\hoW8r777x85abjsyeaeHujqA.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\Pz85N0MYtRF424XKuyeCstGT.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\rHhLiL9gsoGNTac83qTQnAj1.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\ggByZtgEK7bPtlfPMmThjScy.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\Pqxb61GGMG9M5KXBMaSXHEQD.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\5FQtA1wucts8Yrqmv9O6idz6.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\AKT0moXt1O8o3JAohyejb57d.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\eOQyZOmKZuhuxvZPOmSz9XIB.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\HZsXoAGbQU5SkUVczYhPFgdu.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\FTcNwu7k57Kjd8usAclVAWLT.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe entropy: 7.99614337359	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\SpQS37CFNzVuKGQ66NuQrhJF.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\jyloIqTsPwfd1DkPDg38NoEm.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\kNL4FzXHKA5mrztWPDWWEYhW.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\hbVjMJXKMfxChI8EPArRZgag.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\IZNKVd1kbYfgYPSMbP2rCCcY.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\rSrR1mkcaBul2YC2PFGskQPW.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\L3lOBa8F6zHswmHocPmpzPVx.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\01Zkr9Pqv75RBBPAfRuOcR8W.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\RztCbUmZBnVI5vwgknk1v9gl.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\mbmPnV0wgL2OU39u2KeIn4Tf.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\qemktTHoQLUy5osCZbbDQLZi.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\649FP6erIG3uUfhR0wTmAGh3.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\9WWcfdyLrpl90TvY0F1B4pln.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\nFOnvesIq7VabzyMeGzHz4bu.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\alSkRSPtoedHGl3kbYeLvhn9.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\TQgruOoGIXZNEz8bpXbMq0nS.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\ZDmJyG6Fh6EWKl8nRZuWAf5m.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\sVO8CirTx1P1PYp8b2HKbfci.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\pnOUyTpcHaCPBGC0NY6Ey4tl.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\l6tkmwjdUErRj2XjAOLUSPtS.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\MudDF159gEyKHU6eFD2BtmnO.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\VOj2XP57pkkframg3VKI0bnJ.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\ORwSCErwlmZJgHX8RlZwnqzW.exe entropy: 7.99614337359	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\7tTJzEy4dI9u65vrU8cvsIiD.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\snaftQ9InX6HRaN4agnWr7Oj.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\grabber[1].exe entropy: 7.99564568557	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\R44UL53NQLGR3F7y7U28BpiH.exe entropy: 7.99564568557	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\setup[1].exe entropy: 7.99617939742	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\f57Lg9cgmr2hMVAKkSa_5EEF.exe entropy: 7.99617939742	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\060[1].exe entropy: 7.99870917991	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\mznEpIhRkhM45E5OaaApcXfQ.exe entropy: 7.99870917991	Jump to dropped file
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Opera_109.0.5097.45_Autoupdate_x64[1].exe entropy: 7.99999275562	Jump to dropped file
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154301\opera_package entropy: 7.99999275562	Jump to dropped file
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Assistant_109.0.5097.45_Setup[1].exe entropy: 7.99454240908	Jump to dropped file
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154301\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe (copy) entropy: 7.99454240908	Jump to dropped file
Source: C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Opera_109.0.5097.45_Autoupdate_x64[1].exe entropy: 7.99997374199	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000001B.00000002.2697849713.0000000001D8F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000024.00000002.2385174033.0000000003700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000021.00000002.2541502193.0000000001B6F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000021.00000002.2582257953.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000002C.00000002.2646335741.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000028.00000002.2549286327.0000000001AFF000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001C.00000002.2410411723.0000000003710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000002C.00000002.2610649931.0000000001B5F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000D.00000002.2473349170.0000000001C0F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000012.00000002.2514906491.0000000001D0F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000A.00000002.2365313728.0000000001A7F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001B.00000002.2640607262.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000001A.00000002.2561322038.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000024.00000002.2384676692.0000000001D7F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001A.00000002.2512953464.0000000001B4F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001D.00000002.2432721471.0000000003650000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000A.00000002.2391779693.0000000003690000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000028.00000002.2577993326.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000001C.00000002.2378252720.0000000001B2F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000012.00000002.2555300545.0000000003590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000001D.00000002.2405210510.0000000001BFF000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000D.00000002.2470863926.0000000001BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: C:\Users\user\Documents\SimpleAdobe\CCN3NQ4YsQxXhtmcSRpYcrYn.exe, type: DROPPED	Matched rule: Detects zgRAT Author: ditekSHen

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6837B8C0 rand_s,NtQueryVirtualMemory,	13_2_6837B8C0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6837B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	13_2_6837B910
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6831F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	13_2_6831F280
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6833ED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset,	13_2_6833ED10
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6837B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	13_2_6837B700

Creates files inside the system directory

Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Windows\System32\GroupPolicy\gpt.ini
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Windows\System32\GroupPolicy\Machine
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Windows\System32\GroupPolicy\User
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Windows\System32\GroupPolicy\Machine\Registry.pol

Detected potential crypto function

Source: C:\Users\user\Desktop\74fa486WVX.exe	Code function: 0_2_00007FFD9B872B90	0_2_00007FFD9B872B90
Source: C:\Users\user\Desktop\74fa486WVX.exe	Code function: 0_2_00007FFD9B874BD0	0_2_00007FFD9B874BD0
Source: C:\Users\user\Desktop\74fa486WVX.exe	Code function: 0_2_00007FFD9B874B20	0_2_00007FFD9B874B20
Source: C:\Users\user\Desktop\74fa486WVX.exe	Code function: 0_2_00007FFD9B8851FA	0_2_00007FFD9B8851FA
Source: C:\Users\user\Desktop\74fa486WVX.exe	Code function: 0_2_00007FFD9B87C179	0_2_00007FFD9B87C179
Source: C:\Users\user\Desktop\74fa486WVX.exe	Code function: 0_2_00007FFD9B878FB8	0_2_00007FFD9B878FB8
Source: C:\Users\user\Desktop\74fa486WVX.exe	Code function: 0_2_00007FFD9B878FC0	0_2_00007FFD9B878FC0
Source: C:\Users\user\Desktop\74fa486WVX.exe	Code function: 0_2_00007FFD9B876F20	0_2_00007FFD9B876F20
Source: C:\Users\user\Desktop\74fa486WVX.exe	Code function: 0_2_00007FFD9B888F5A	0_2_00007FFD9B888F5A
Source: C:\Users\user\Desktop\74fa486WVX.exe	Code function: 0_2_00007FFD9B87C601	0_2_00007FFD9B87C601
Source: C:\Users\user\Desktop\74fa486WVX.exe	Code function: 0_2_00007FFD9B87F599	0_2_00007FFD9B87F599
Source: C:\Users\user\Desktop\74fa486WVX.exe	Code function: 0_2_00007FFD9B880C2A	0_2_00007FFD9B880C2A
Source: C:\Users\user\Desktop\74fa486WVX.exe	Code function: 0_2_00007FFD9B885247	0_2_00007FFD9B885247
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0041B84B	10_2_0041B84B
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0040BA80	10_2_0040BA80
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0040C2AC	10_2_0040C2AC
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_004123A0	10_2_004123A0
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0040F441	10_2_0040F441
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0040BD2A	10_2_0040BD2A
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0042153C	10_2_0042153C
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0040C6A0	10_2_0040C6A0
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_00408761	10_2_00408761
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0041BF69	10_2_0041BF69
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0040B70E	10_2_0040B70E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0040BFF1	10_2_0040BFF1
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0369C258	10_2_0369C258
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_036ABAB2	10_2_036ABAB2
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0369B975	10_2_0369B975
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0369C907	10_2_0369C907
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_036989C8	10_2_036989C8
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0369BF91	10_2_0369BF91
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_036A2607	10_2_036A2607
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0369F6A8	10_2_0369F6A8
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0369C513	10_2_0369C513
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0369BCE7	10_2_0369BCE7
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_683135A0	13_2_683135A0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6835B820	13_2_6835B820
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68364820	13_2_68364820
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68327810	13_2_68327810
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6835F070	13_2_6835F070
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68338850	13_2_68338850
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6833D850	13_2_6833D850
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_683460A0	13_2_683460A0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6833C0E0	13_2_6833C0E0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_683558E0	13_2_683558E0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_683850C7	13_2_683850C7
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6836B970	13_2_6836B970
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6838B170	13_2_6838B170
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6832D960	13_2_6832D960
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6833A940	13_2_6833A940
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6834D9B0	13_2_6834D9B0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6831C9A0	13_2_6831C9A0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68355190	13_2_68355190
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68372990	13_2_68372990
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68359A60	13_2_68359A60
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6832CAB0	13_2_6832CAB0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68382AB0	13_2_68382AB0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_683122A0	13_2_683122A0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68344AA0	13_2_68344AA0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6838BA90	13_2_6838BA90
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68331AF0	13_2_68331AF0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6835E2F0	13_2_6835E2F0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68358AC0	13_2_68358AC0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6835D320	13_2_6835D320
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6832C370	13_2_6832C370
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68315340	13_2_68315340
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6831F380	13_2_6831F380
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_683853C8	13_2_683853C8
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6838542B	13_2_6838542B
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68355C10	13_2_68355C10
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68362C10	13_2_68362C10
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6838AC00	13_2_6838AC00
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6838545C	13_2_6838545C
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68325440	13_2_68325440
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_683734A0	13_2_683734A0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6837C4A0	13_2_6837C4A0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68326C80	13_2_68326C80
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68356CF0	13_2_68356CF0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6831D4E0	13_2_6831D4E0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6833D4D0	13_2_6833D4D0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_683264C0	13_2_683264C0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6833ED10	13_2_6833ED10
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68340512	13_2_68340512
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6832FD00	13_2_6832FD00
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_683785F0	13_2_683785F0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68350DD0	13_2_68350DD0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68379E30	13_2_68379E30
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68357E10	13_2_68357E10
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68365600	13_2_68365600
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6831C670	13_2_6831C670
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68386E63	13_2_68386E63
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68339E50	13_2_68339E50
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68353E50	13_2_68353E50
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68334640	13_2_68334640
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68362E4E	13_2_68362E4E
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68374EA0	13_2_68374EA0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68335E90	13_2_68335E90
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6837E680	13_2_6837E680
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6831BEF0	13_2_6831BEF0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6832FEF0	13_2_6832FEF0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_683876E3	13_2_683876E3
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68357710	13_2_68357710
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68329F00	13_2_68329F00
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_683677A0	13_2_683677A0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68346FF0	13_2_68346FF0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6831DFE0	13_2_6831DFE0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_684B4840	13_2_684B4840
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68430820	13_2_68430820
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6846A820	13_2_6846A820
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_684E68E0	13_2_684E68E0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68418960	13_2_68418960
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68436900	13_2_68436900
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_684FC9E0	13_2_684FC9E0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_684149F0	13_2_684149F0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_684709A0	13_2_684709A0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6849A9A0	13_2_6849A9A0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_684A09B0	13_2_684A09B0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6845CA70	13_2_6845CA70
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6848EA00	13_2_6848EA00
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68498A30	13_2_68498A30
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6845EA80	13_2_6845EA80

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: String function: 683594D0 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: String function: 6834CBE8 appears 134 times
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: String function: 004043B0 appears 316 times
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: String function: 004275A4 appears 43 times
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: String function: 03699F27 appears 48 times
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: String function: 00409CC0 appears 48 times
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: String function: 036B780B appears 43 times

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 468 -p 6560 -ip 6560

PE / OLE file has an invalid certificate

Source: 74fa486WVX.exe

Static PE information: invalid certificate

PE file contains executable resources (Code or Archives)

Source: 55U4oAfoSKfHUd9zgALXnYnz.exe.5.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: 2HHKIWZutF51ekTbTCJmdsQD.exe.5.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: EMeQ5ybqCaVICeTV8FEwhv9X.exe.5.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: E626JU8WedF91dS47oNi5eLU.exe.5.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: JFMKbtzEUpmtpv6BsSkbHYie.exe.5.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: k37bNecnFhzJYNbz2EjRPf6F.exe.5.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: G05ti52FimNWGW59YzUlmrp6.exe.5.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows

PE file does not import any functions

Source: 74fa486WVX.exe

Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: 74fa486WVX.exe, 00000000.00000002.2151703138.0000022028635000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNew.exe" vs 74fa486WVX.exe
Source: 74fa486WVX.exe, 00000000.00000002.2214064369.00000220386EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUratuzuvopuqebaL vs 74fa486WVX.exe
Source: 74fa486WVX.exe, 00000000.00000000.1650060523.00000220268A2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUnadumom4 vs 74fa486WVX.exe
Source: 74fa486WVX.exe, 00000000.00000002.2114365937.0000022026C20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameUratuzuvopuqebaL vs 74fa486WVX.exe

Yara signature match

Source: 0000001B.00000002.2697849713.0000000001D8F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000024.00000002.2385174033.0000000003700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000021.00000002.2541502193.0000000001B6F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000021.00000002.2582257953.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000002C.00000002.2646335741.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000028.00000002.2549286327.0000000001AFF000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001C.00000002.2410411723.0000000003710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000002C.00000002.2610649931.0000000001B5F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000D.00000002.2473349170.0000000001C0F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000012.00000002.2514906491.0000000001D0F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000A.00000002.2365313728.0000000001A7F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001B.00000002.2640607262.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000001A.00000002.2561322038.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000024.00000002.2384676692.0000000001D7F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001A.00000002.2512953464.0000000001B4F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001D.00000002.2432721471.0000000003650000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000A.00000002.2391779693.0000000003690000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000028.00000002.2577993326.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000001C.00000002.2378252720.0000000001B2F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000012.00000002.2555300545.0000000003590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000001D.00000002.2405210510.0000000001BFF000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000D.00000002.2470863926.0000000001BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: C:\Users\user\Documents\SimpleAdobe\CCN3NQ4YsQxXhtmcSRpYcrYn.exe, type: DROPPED	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: 74fa486WVX.exe, ExcludeFromCodeCoverageAttributeCookies.cs

Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@278/489@0/45

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe

Code function: 13_2_68377030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

13_2_68377030

Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe

Code function: 10_2_01A7FB3E CreateToolhelp32Snapshot,Module32First,

10_2_01A7FB3E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

File created: C:\Users\user\AppData\Local\Bc4dcTAjyvtQ9T6PrR3f0uzO.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7884:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Mutant created: NULL
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Opera/Installer/C:/Users/user/AppData/Local/Programs/Opera
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6560
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Mutant created: \Sessions\1\BaseNamedObjects\JarakHalgWW_12
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6320:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zkjrml4p.bbo.ps1

Jump to behavior

Source: Yara match	File source: 00000021.00000003.2412282154.0000000004545000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.2045418362.00000000043FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.2296560016.000000000453A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2316207259.00000000042B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2072692337.000000000453A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.2310300972.000000000454F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.2312742007.0000000004530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000003.2526760586.0000000004547000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u220.1.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u5tg.1.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u5v0.1.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u2e8.1.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u4n4.1.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u57c.1.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u278.1.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u2cs.1.exe, type: DROPPED

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0ubCN0EnMhpbd0TzRf4EeeM3.bat" "

Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: one	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: one	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: two	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: two	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: three	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: three	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: four	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: four	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: five	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: five	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: six	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: six	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: seven	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: seven	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: eight	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: eight	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: nine	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: nine	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: ten	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: ten	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: one	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: two	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: three	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: four	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: five	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: six	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: seven	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: eight	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: nine	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: ten	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.90	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.90	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.90	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: Installed	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: Installed	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.228	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.228	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.228	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.59	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.59	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: /syncUpd.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: /syncUpd.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.59	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: /syncUpd.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: /1/Qg_Appv5.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: /1/Qg_Appv5.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: /1/Qg_Appv5.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: Qg_Appv5.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: Qg_Appv5.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.228	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.228	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: /BroomSetup.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: /BroomSetup.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.228	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: /BroomSetup.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: @	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: one	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: one	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: two	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: two	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: five	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: five	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: seven	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: seven	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: eight	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: eight	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: nine	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: nine	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: ten	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: ten	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.90	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.90	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.90	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: Installed	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: Installed	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.228	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.228	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.228	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.59	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.59	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: /syncUpd.exe	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: /syncUpd.exe	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.59	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: /syncUpd.exe	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: /1/Qg_Appv5.exe	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: /1/Qg_Appv5.exe	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: /1/Qg_Appv5.exe	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: Qg_Appv5.exe	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: Qg_Appv5.exe	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.228	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.228	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: /BroomSetup.exe	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: /BroomSetup.exe	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.228	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: /BroomSetup.exe	10_2_036B4DA5

Source: 74fa486WVX.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\74fa486WVX.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\74fa486WVX.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1750675756.0000000001F90000.00000004.00001000.00020000.00000000.sdmp, RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140001000.00000040.00000001.01000000.00000010.sdmp, RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000003.1878955386.0000000002310000.00000004.00001000.00020000.00000000.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140001000.00000040.00000001.01000000.00000011.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000003.1881772591.0000000000400000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1750675756.0000000001F90000.00000004.00001000.00020000.00000000.sdmp, RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140001000.00000040.00000001.01000000.00000010.sdmp, RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000003.1878955386.0000000002310000.00000004.00001000.00020000.00000000.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140001000.00000040.00000001.01000000.00000011.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000003.1881772591.0000000000400000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: u5tg.0.exe, 0000000D.00000002.2577329483.000000001C02E000.00000004.00000020.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2709657411.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2735000647.000000006856F000.00000002.00000001.01000000.00000026.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: u5tg.0.exe, 0000000D.00000002.2577329483.000000001C02E000.00000004.00000020.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2709657411.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2735000647.000000006856F000.00000002.00000001.01000000.00000026.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: u5tg.0.exe, 0000000D.00000002.2577329483.000000001C02E000.00000004.00000020.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2709657411.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2735000647.000000006856F000.00000002.00000001.01000000.00000026.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: u5tg.0.exe, 0000000D.00000002.2577329483.000000001C02E000.00000004.00000020.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2709657411.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2735000647.000000006856F000.00000002.00000001.01000000.00000026.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: u5tg.0.exe, u5tg.0.exe, 0000000D.00000002.2577329483.000000001C02E000.00000004.00000020.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2709657411.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2735000647.000000006856F000.00000002.00000001.01000000.00000026.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: u5tg.0.exe, 0000000D.00000002.2577329483.000000001C02E000.00000004.00000020.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2709657411.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: u5tg.0.exe, 0000000D.00000002.2577329483.000000001C02E000.00000004.00000020.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2709657411.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2735000647.000000006856F000.00000002.00000001.01000000.00000026.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: u5tg.0.exe, 0000000D.00000002.2577329483.000000001C02E000.00000004.00000020.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2709657411.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: u5tg.0.exe, 0000000D.00000002.2577329483.000000001C02E000.00000004.00000020.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2709657411.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: 74fa486WVX.exe	ReversingLabs: Detection: 21%
Source: 74fa486WVX.exe	Virustotal: Detection: 26%

Source: C:\Users\user\Desktop\74fa486WVX.exe

File read: C:\Users\user\Desktop\74fa486WVX.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\74fa486WVX.exe "C:\Users\user\Desktop\74fa486WVX.exe"
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\74fa486WVX.exe" -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 468 -p 6560 -ip 6560
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6560 -s 1104
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe "C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe "C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe"
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Process created: C:\Users\user\AppData\Local\Temp\u5tg.0.exe "C:\Users\user\AppData\Local\Temp\u5tg.0.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetSvcs -p -s NcaSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\eXNDeRDst4kQrDZC4an0uq9f.exe "C:\Users\user\Pictures\eXNDeRDst4kQrDZC4an0uq9f.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\LnpUuX1UZxpX7wm3ojkkhPdD.exe "C:\Users\user\Pictures\LnpUuX1UZxpX7wm3ojkkhPdD.exe"
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0ubCN0EnMhpbd0TzRf4EeeM3.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\0Q5dKppSpEUoGQyfKKa0z3T3.exe "C:\Users\user\Pictures\0Q5dKppSpEUoGQyfKKa0z3T3.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\BqrcKabb3rjHWiGgZhhaSqKx.exe "C:\Users\user\Pictures\BqrcKabb3rjHWiGgZhhaSqKx.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\RztCbUmZBnVI5vwgknk1v9gl.exe "C:\Users\user\Pictures\RztCbUmZBnVI5vwgknk1v9gl.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\oBwm3xYVYadvvyPM22CjpgTr.exe "C:\Users\user\Pictures\oBwm3xYVYadvvyPM22CjpgTr.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\GnP27p1NAAqpGRO5fkWggl4G.exe "C:\Users\user\Pictures\GnP27p1NAAqpGRO5fkWggl4G.exe"
Source: C:\Users\user\Pictures\eXNDeRDst4kQrDZC4an0uq9f.exe	Process created: C:\Users\user\AppData\Local\Temp\u5lo.0.exe "C:\Users\user\AppData\Local\Temp\u5lo.0.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\aLJAULt319f3yelZ9yHcLLmp.exe "C:\Users\user\Pictures\aLJAULt319f3yelZ9yHcLLmp.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe "C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\l6tkmwjdUErRj2XjAOLUSPtS.exe "C:\Users\user\Pictures\l6tkmwjdUErRj2XjAOLUSPtS.exe"
Source: C:\Users\user\Pictures\LnpUuX1UZxpX7wm3ojkkhPdD.exe	Process created: C:\Users\user\AppData\Local\Temp\u220.0.exe "C:\Users\user\AppData\Local\Temp\u220.0.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\VOj2XP57pkkframg3VKI0bnJ.exe "C:\Users\user\Pictures\VOj2XP57pkkframg3VKI0bnJ.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\ucyz2FBrS2ZmSVbb1v4MylBp.exe "C:\Users\user\Pictures\ucyz2FBrS2ZmSVbb1v4MylBp.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe "C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe" --silent --allusers=0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\snaftQ9InX6HRaN4agnWr7Oj.exe "C:\Users\user\Pictures\snaftQ9InX6HRaN4agnWr7Oj.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe "C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe "C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\ZD1fmOCLpyrjNES6gIPEm8BD.exe "C:\Users\user\Pictures\ZD1fmOCLpyrjNES6gIPEm8BD.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe "C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\pBXyZagaHAQQrhw6oBm3PDRx.exe "C:\Users\user\Pictures\pBXyZagaHAQQrhw6oBm3PDRx.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe "C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe" --silent --allusers=0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\RyhY8hIGZEZNYbghQkrpaTbg.exe "C:\Users\user\Pictures\RyhY8hIGZEZNYbghQkrpaTbg.exe"
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\74fa486WVX.exe" -Force	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe "C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe "C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\RztCbUmZBnVI5vwgknk1v9gl.exe "C:\Users\user\Pictures\RztCbUmZBnVI5vwgknk1v9gl.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\oBwm3xYVYadvvyPM22CjpgTr.exe "C:\Users\user\Pictures\oBwm3xYVYadvvyPM22CjpgTr.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\GnP27p1NAAqpGRO5fkWggl4G.exe "C:\Users\user\Pictures\GnP27p1NAAqpGRO5fkWggl4G.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\aLJAULt319f3yelZ9yHcLLmp.exe "C:\Users\user\Pictures\aLJAULt319f3yelZ9yHcLLmp.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe "C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\l6tkmwjdUErRj2XjAOLUSPtS.exe "C:\Users\user\Pictures\l6tkmwjdUErRj2XjAOLUSPtS.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\VOj2XP57pkkframg3VKI0bnJ.exe "C:\Users\user\Pictures\VOj2XP57pkkframg3VKI0bnJ.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\ucyz2FBrS2ZmSVbb1v4MylBp.exe "C:\Users\user\Pictures\ucyz2FBrS2ZmSVbb1v4MylBp.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe "C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe" --silent --allusers=0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\snaftQ9InX6HRaN4agnWr7Oj.exe "C:\Users\user\Pictures\snaftQ9InX6HRaN4agnWr7Oj.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe "C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe "C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\ZD1fmOCLpyrjNES6gIPEm8BD.exe "C:\Users\user\Pictures\ZD1fmOCLpyrjNES6gIPEm8BD.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe "C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\pBXyZagaHAQQrhw6oBm3PDRx.exe "C:\Users\user\Pictures\pBXyZagaHAQQrhw6oBm3PDRx.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe "C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe" --silent --allusers=0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\RyhY8hIGZEZNYbghQkrpaTbg.exe "C:\Users\user\Pictures\RyhY8hIGZEZNYbghQkrpaTbg.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe "C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 468 -p 6560 -ip 6560
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6560 -s 1104
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Process created: C:\Users\user\AppData\Local\Temp\u5tg.0.exe "C:\Users\user\AppData\Local\Temp\u5tg.0.exe"
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\eXNDeRDst4kQrDZC4an0uq9f.exe	Process created: C:\Users\user\AppData\Local\Temp\u5lo.0.exe "C:\Users\user\AppData\Local\Temp\u5lo.0.exe"
Source: C:\Users\user\Pictures\LnpUuX1UZxpX7wm3ojkkhPdD.exe	Process created: C:\Users\user\AppData\Local\Temp\u220.0.exe "C:\Users\user\AppData\Local\Temp\u220.0.exe"
Source: C:\Users\user\Pictures\LnpUuX1UZxpX7wm3ojkkhPdD.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\GnP27p1NAAqpGRO5fkWggl4G.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\GnP27p1NAAqpGRO5fkWggl4G.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\aLJAULt319f3yelZ9yHcLLmp.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\aLJAULt319f3yelZ9yHcLLmp.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\ucyz2FBrS2ZmSVbb1v4MylBp.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\ucyz2FBrS2ZmSVbb1v4MylBp.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	Process created: C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe "C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe"
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\ZD1fmOCLpyrjNES6gIPEm8BD.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\ZD1fmOCLpyrjNES6gIPEm8BD.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\RyhY8hIGZEZNYbghQkrpaTbg.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\RyhY8hIGZEZNYbghQkrpaTbg.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: napinsp.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: wshbth.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: winrnr.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: napinsp.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: wshbth.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: winrnr.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: napinsp.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: wshbth.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: winrnr.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: wldp.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: propsys.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: profapi.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: edputil.dll

Source: C:\Users\user\Desktop\74fa486WVX.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe

File written: C:\Windows\System32\GroupPolicy\gpt.ini

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\74fa486WVX.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Source: 74fa486WVX.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: 74fa486WVX.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 74fa486WVX.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: u5tg.0.exe, 0000000D.00000002.2733626903.000000006838D000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: RC:\nedadovisiguc\bibufedepisoh\jegode\yapogiboj\hi.pdb source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842065324.0000000004861000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1844688555.0000000004FFD000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1846372753.0000000005044000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842247378.0000000004862000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1847791034.0000000005364000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1844688555.0000000004FD3000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845850142.0000000005044000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wextract.pdb source: jsc.exe, 00000005.00000002.2652166085.000000000338A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003ABB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003383000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003362000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: u5tg.0.exe, 0000000D.00000002.2735000647.000000006856F000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: E:\HD_Audio\VS2005\Resetup\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdbP@n@ `@_CorExeMainmscoree.dll source: RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140238000.00000040.00000001.01000000.00000010.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140238000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\yicukewiceyal\ge.pdb source: aD6tv7fY2lQHgM7IuiL9Hw1Z.exe, 0000000A.00000003.1744695734.0000000003741000.00000004.00000020.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000000.1743563423.000000000041B000.00000002.00000001.01000000.00000009.sdmp, eXNDeRDst4kQrDZC4an0uq9f.exe, 00000011.00000003.1874006266.0000000003801000.00000004.00000020.00020000.00000000.sdmp, LnpUuX1UZxpX7wm3ojkkhPdD.exe, 00000012.00000003.1886502011.0000000003771000.00000004.00000020.00020000.00000000.sdmp, GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.1932534592.00000000037C1000.00000004.00000020.00020000.00000000.sdmp, u5lo.0.exe, 0000001B.00000000.1862492427.000000000041B000.00000002.00000001.01000000.00000013.sdmp, aLJAULt319f3yelZ9yHcLLmp.exe, 0000001C.00000003.1964468154.0000000003781000.00000004.00000020.00020000.00000000.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000003.1957327331.0000000003831000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\HD_Audio\VS2005\Resetup\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb source: RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140238000.00000040.00000001.01000000.00000010.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140238000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1843997507.00000000050C3000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1841694299.0000000004FFD000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842489395.0000000005051000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1841790509.00000000048AE000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842382816.0000000005051000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\yixeki-ciguwan38_buyej\jobo.pdb source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845157813.0000000004F61000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1838884651.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1838884651.0000000004888000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1840311650.00000000048E8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140447000.00000040.00000001.01000000.00000010.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140447000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\nedadovisiguc\bibufedepisoh\jegode\yapogiboj\hi.pdb source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842065324.0000000004861000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1844688555.0000000004FFD000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1846372753.0000000005044000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842247378.0000000004862000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1847791034.0000000005364000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1844688555.0000000004FD3000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845850142.0000000005044000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: u5tg.0.exe, 0000000D.00000002.2733626903.000000006838D000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: C:\javagevo77\xonete\zedikacap-kumefuhan_yevezocusir\nisev.pdb source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1884648951.0000000004F61000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1878460153.0000000004862000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wextract.pdbH source: jsc.exe, 00000005.00000002.2652166085.000000000338A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003ABB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003383000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003362000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\x64\Release\XBundlerTlsHelper.pdb source: RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140265000.00000040.00000001.01000000.00000010.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140265000.00000040.00000001.01000000.00000011.sdmp, l6tkmwjdUErRj2XjAOLUSPtS.exe, 0000001E.00000002.2152673578.0000000140265000.00000040.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\TestProject\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb source: RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140243000.00000040.00000001.01000000.00000010.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140243000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\TestProject\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb,ANA @A_CorExeMainmscoree.dll source: RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140243000.00000040.00000001.01000000.00000010.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140243000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: DC:\yicukewiceyal\ge.pdb source: aD6tv7fY2lQHgM7IuiL9Hw1Z.exe, 0000000A.00000003.1744695734.0000000003741000.00000004.00000020.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000000.1743563423.000000000041B000.00000002.00000001.01000000.00000009.sdmp, eXNDeRDst4kQrDZC4an0uq9f.exe, 00000011.00000003.1874006266.0000000003801000.00000004.00000020.00020000.00000000.sdmp, LnpUuX1UZxpX7wm3ojkkhPdD.exe, 00000012.00000003.1886502011.0000000003771000.00000004.00000020.00020000.00000000.sdmp, GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.1932534592.00000000037C1000.00000004.00000020.00020000.00000000.sdmp, u5lo.0.exe, 0000001B.00000000.1862492427.000000000041B000.00000002.00000001.01000000.00000013.sdmp, aLJAULt319f3yelZ9yHcLLmp.exe, 0000001C.00000003.1964468154.0000000003781000.00000004.00000020.00020000.00000000.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000003.1957327331.0000000003831000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140447000.00000040.00000001.01000000.00000010.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140447000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: LNC:\noyofalivam\xeguhukur.pdb source: jsc.exe, 00000005.00000002.2967048972.0000000004619000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2967048972.0000000004319000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000034DA000.00000004.00000800.00020000.00000000.sdmp, aD6tv7fY2lQHgM7IuiL9Hw1Z.exe, 0000000A.00000002.2365446136.0000000001AB8000.00000004.00000020.00020000.00000000.sdmp, aD6tv7fY2lQHgM7IuiL9Hw1Z.exe, 0000000A.00000000.1700515452.000000000041B000.00000002.00000001.01000000.00000007.sdmp, eXNDeRDst4kQrDZC4an0uq9f.exe, 00000011.00000000.1779339552.000000000041B000.00000002.00000001.01000000.0000000C.sdmp, LnpUuX1UZxpX7wm3ojkkhPdD.exe, 00000012.00000002.2528541137.0000000001D48000.00000004.00000020.00020000.00000000.sdmp, LnpUuX1UZxpX7wm3ojkkhPdD.exe, 00000012.00000000.1825118600.000000000041B000.00000002.00000001.01000000.0000000D.sdmp, GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000000.1855770656.000000000041B000.00000002.00000001.01000000.00000012.sdmp, GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000002.2525303834.0000000001B88000.00000004.00000020.00020000.00000000.sdmp, aLJAULt319f3yelZ9yHcLLmp.exe, 0000001C.00000002.2381563199.0000000001B68000.00000004.00000020.00020000.00000000.sdmp, aLJAULt319f3yelZ9yHcLLmp.exe, 0000001C.00000000.1862402151.000000000041B000.00000002.00000001.01000000.00000014.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000000.1866064043.000000000041B000.00000002.00000001.01000000.00000015.sdmp, RyhY8hIGZEZNYbghQkrpaTbg.exe, 0000002C.00000000.1954578069.000000000041B000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: C:\noyofalivam\xeguhukur.pdb source: jsc.exe, 00000005.00000002.2967048972.0000000004619000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2967048972.0000000004319000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000034DA000.00000004.00000800.00020000.00000000.sdmp, aD6tv7fY2lQHgM7IuiL9Hw1Z.exe, 0000000A.00000002.2365446136.0000000001AB8000.00000004.00000020.00020000.00000000.sdmp, aD6tv7fY2lQHgM7IuiL9Hw1Z.exe, 0000000A.00000000.1700515452.000000000041B000.00000002.00000001.01000000.00000007.sdmp, eXNDeRDst4kQrDZC4an0uq9f.exe, 00000011.00000000.1779339552.000000000041B000.00000002.00000001.01000000.0000000C.sdmp, LnpUuX1UZxpX7wm3ojkkhPdD.exe, 00000012.00000002.2528541137.0000000001D48000.00000004.00000020.00020000.00000000.sdmp, LnpUuX1UZxpX7wm3ojkkhPdD.exe, 00000012.00000000.1825118600.000000000041B000.00000002.00000001.01000000.0000000D.sdmp, GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000000.1855770656.000000000041B000.00000002.00000001.01000000.00000012.sdmp, GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000002.2525303834.0000000001B88000.00000004.00000020.00020000.00000000.sdmp, aLJAULt319f3yelZ9yHcLLmp.exe, 0000001C.00000002.2381563199.0000000001B68000.00000004.00000020.00020000.00000000.sdmp, aLJAULt319f3yelZ9yHcLLmp.exe, 0000001C.00000000.1862402151.000000000041B000.00000002.00000001.01000000.00000014.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000000.1866064043.000000000041B000.00000002.00000001.01000000.00000015.sdmp, RyhY8hIGZEZNYbghQkrpaTbg.exe, 0000002C.00000000.1954578069.000000000041B000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: 8>C:\javagevo77\xonete\zedikacap-kumefuhan_yevezocusir\nisev.pdb source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1884648951.0000000004F61000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1878460153.0000000004862000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: GC:\bivonare pif.pdb source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1869958857.0000000006711000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1858482387.0000000004F61000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1859853643.000000000516F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1862956028.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1864705767.0000000005361000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1860935215.0000000005365000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1855540860.0000000004831000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1865504661.00000000063A7000.00000004.00000020.00020000.00000000.sdmp, 0Q5dKppSpEUoGQyfKKa0z3T3.exe, 00000015.00000000.1826680480.000000000041B000.00000002.00000001.01000000.0000000E.sdmp, BqrcKabb3rjHWiGgZhhaSqKx.exe, 00000016.00000000.1826692672.000000000041B000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: nss3.pdb source: u5tg.0.exe, 0000000D.00000002.2735000647.000000006856F000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: C:\bivonare pif.pdb source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1869958857.0000000006711000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1858482387.0000000004F61000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1859853643.000000000516F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1862956028.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1864705767.0000000005361000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1860935215.0000000005365000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1855540860.0000000004831000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1865504661.00000000063A7000.00000004.00000020.00020000.00000000.sdmp, 0Q5dKppSpEUoGQyfKKa0z3T3.exe, 00000015.00000000.1826680480.000000000041B000.00000002.00000001.01000000.0000000E.sdmp, BqrcKabb3rjHWiGgZhhaSqKx.exe, 00000016.00000000.1826692672.000000000041B000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: ".pdb source: RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140447000.00000040.00000001.01000000.00000010.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140447000.00000040.00000001.01000000.00000011.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Unpacked PE file: 10.2.aD6tv7fY2lQHgM7IuiL9Hw1Z.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Unpacked PE file: 13.2.u5tg.0.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\Pictures\LnpUuX1UZxpX7wm3ojkkhPdD.exe	Unpacked PE file: 18.2.LnpUuX1UZxpX7wm3ojkkhPdD.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Pictures\RztCbUmZBnVI5vwgknk1v9gl.exe	Unpacked PE file: 23.2.RztCbUmZBnVI5vwgknk1v9gl.exe.140000000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\Pictures\oBwm3xYVYadvvyPM22CjpgTr.exe	Unpacked PE file: 24.2.oBwm3xYVYadvvyPM22CjpgTr.exe.140000000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\Pictures\GnP27p1NAAqpGRO5fkWggl4G.exe	Unpacked PE file: 26.2.GnP27p1NAAqpGRO5fkWggl4G.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\u5lo.0.exe	Unpacked PE file: 27.2.u5lo.0.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\Pictures\aLJAULt319f3yelZ9yHcLLmp.exe	Unpacked PE file: 28.2.aLJAULt319f3yelZ9yHcLLmp.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe	Unpacked PE file: 29.2.x2VAVd7wCFKvEJ20FLblB74a.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Pictures\l6tkmwjdUErRj2XjAOLUSPtS.exe	Unpacked PE file: 30.2.l6tkmwjdUErRj2XjAOLUSPtS.exe.140000000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\Pictures\VOj2XP57pkkframg3VKI0bnJ.exe	Unpacked PE file: 32.2.VOj2XP57pkkframg3VKI0bnJ.exe.140000000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\Pictures\ucyz2FBrS2ZmSVbb1v4MylBp.exe	Unpacked PE file: 33.2.ucyz2FBrS2ZmSVbb1v4MylBp.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Pictures\snaftQ9InX6HRaN4agnWr7Oj.exe	Unpacked PE file: 35.2.snaftQ9InX6HRaN4agnWr7Oj.exe.140000000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe	Unpacked PE file: 36.2.62yRKzzf4sPbuvaYnIB1MyY6.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Pictures\ZD1fmOCLpyrjNES6gIPEm8BD.exe	Unpacked PE file: 40.2.ZD1fmOCLpyrjNES6gIPEm8BD.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	Unpacked PE file: 41.2.EB0On5SEskIrRrycifeZdat8.exe.140000000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\Pictures\RyhY8hIGZEZNYbghQkrpaTbg.exe	Unpacked PE file: 44.2.RyhY8hIGZEZNYbghQkrpaTbg.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Unpacked PE file: 10.2.aD6tv7fY2lQHgM7IuiL9Hw1Z.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Unpacked PE file: 13.2.u5tg.0.exe.400000.0.unpack
Source: C:\Users\user\Pictures\LnpUuX1UZxpX7wm3ojkkhPdD.exe	Unpacked PE file: 18.2.LnpUuX1UZxpX7wm3ojkkhPdD.exe.400000.0.unpack
Source: C:\Users\user\Pictures\GnP27p1NAAqpGRO5fkWggl4G.exe	Unpacked PE file: 26.2.GnP27p1NAAqpGRO5fkWggl4G.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u5lo.0.exe	Unpacked PE file: 27.2.u5lo.0.exe.400000.0.unpack
Source: C:\Users\user\Pictures\aLJAULt319f3yelZ9yHcLLmp.exe	Unpacked PE file: 28.2.aLJAULt319f3yelZ9yHcLLmp.exe.400000.0.unpack
Source: C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe	Unpacked PE file: 29.2.x2VAVd7wCFKvEJ20FLblB74a.exe.400000.0.unpack
Source: C:\Users\user\Pictures\ucyz2FBrS2ZmSVbb1v4MylBp.exe	Unpacked PE file: 33.2.ucyz2FBrS2ZmSVbb1v4MylBp.exe.400000.0.unpack
Source: C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe	Unpacked PE file: 36.2.62yRKzzf4sPbuvaYnIB1MyY6.exe.400000.0.unpack
Source: C:\Users\user\Pictures\ZD1fmOCLpyrjNES6gIPEm8BD.exe	Unpacked PE file: 40.2.ZD1fmOCLpyrjNES6gIPEm8BD.exe.400000.0.unpack
Source: C:\Users\user\Pictures\RyhY8hIGZEZNYbghQkrpaTbg.exe	Unpacked PE file: 44.2.RyhY8hIGZEZNYbghQkrpaTbg.exe.400000.0.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe

Code function: 13_2_00416240 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

13_2_00416240

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .MPRESS2

PE file contains an invalid checksum

Source: Qrn1R2YnqgbObeklXgpUkoSv.exe.5.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: RpHTCBF8eeEyMMzamuo6vUfe.exe.5.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: 2HHKIWZutF51ekTbTCJmdsQD.exe.5.dr	Static PE information: real checksum: 0x52798d should be: 0x527a82
Source: mBtSJYnuhrFLvY2MJBfJ6zCY.exe.5.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: RuyjNg2h2rPzCAYgnDzC7oDR.exe.5.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: H9FY6QTsJratO1zpWk3eILq1.exe.5.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: 6AsVyY9hcVg6BrRB3XAxmLRn.exe.5.dr	Static PE information: real checksum: 0x85ff5 should be: 0x85ffb
Source: 5IilnjrSxfPpByYnmbIawdwK.exe.5.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: TovDrAS4ZVzdikDIaBscZdIr.exe.5.dr	Static PE information: real checksum: 0x85ff5 should be: 0x85ffb
Source: CtkK9Th0aYy61u3G3eurfaVd.exe.5.dr	Static PE information: real checksum: 0x85ff5 should be: 0x85ffb
Source: OKqXvjJ6SNHOnbaRTxCrZkO1.exe.5.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: EMeQ5ybqCaVICeTV8FEwhv9X.exe.5.dr	Static PE information: real checksum: 0x52fa5e should be: 0x52fb53
Source: bzUgMjyvpHyaWTvY7ESS9DNs.exe.5.dr	Static PE information: real checksum: 0x85ff5 should be: 0x85ffb
Source: EPLdILIsM6WsgQ8tbaADcwbp.exe.5.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: dHD69e5qJhcFRsXZFXD35fUF.exe.5.dr	Static PE information: real checksum: 0x85ff5 should be: 0x85ffb
Source: jqR2QuJF62nOkasEDCKDfLZp.exe.5.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: jMOiuIuR2FEmGKaDZ419BomJ.exe.5.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: JS7F5l4X9VGfxhvIDALgQP2l.exe.5.dr	Static PE information: real checksum: 0x85ff5 should be: 0x85ffb
Source: k37bNecnFhzJYNbz2EjRPf6F.exe.5.dr	Static PE information: real checksum: 0x52f56c should be: 0x52f661
Source: E626JU8WedF91dS47oNi5eLU.exe.5.dr	Static PE information: real checksum: 0x52798d should be: 0x527a82
Source: 55U4oAfoSKfHUd9zgALXnYnz.exe.5.dr	Static PE information: real checksum: 0x52fa5e should be: 0x52fb53
Source: FYBxmkVn6yXddha66gzvyTER.exe.5.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: G05ti52FimNWGW59YzUlmrp6.exe.5.dr	Static PE information: real checksum: 0x53365c should be: 0x533751
Source: JFMKbtzEUpmtpv6BsSkbHYie.exe.5.dr	Static PE information: real checksum: 0x52a55b should be: 0x52a650
Source: gAPxIrnhSeyospIFCtyklTjE.exe.5.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: 7vhWkFWbVXTTdk4fousAZMn2.exe.5.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: PGehWkLSodA6wqRR58MqY3mA.exe.5.dr	Static PE information: real checksum: 0x85ff5 should be: 0x85ffb
Source: X9KcMA0fkXnD1jMYOYSmfmUC.exe.5.dr	Static PE information: real checksum: 0x85ff5 should be: 0x85ffb
Source: ypf7cFVwcCjj0PNuLkMGitSU.exe.5.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: BZDlDTS67jORikSmtG0MWK6M.exe.5.dr	Static PE information: real checksum: 0x85ff5 should be: 0x85ffb

PE file contains sections with non-standard names

Source: sbZAAkQuPWrpuYdmYbORf9Y6.exe.5.dr	Static PE information: section name: .MPRESS1
Source: sbZAAkQuPWrpuYdmYbORf9Y6.exe.5.dr	Static PE information: section name: .MPRESS2
Source: 4vR64vyt2Ms3IgZi0ogjOLiV.exe.5.dr	Static PE information: section name: .MPRESS1
Source: 4vR64vyt2Ms3IgZi0ogjOLiV.exe.5.dr	Static PE information: section name: .MPRESS2
Source: JHCkwUJwo6Iltf50o60nZ8hx.exe.5.dr	Static PE information: section name: .MPRESS1
Source: JHCkwUJwo6Iltf50o60nZ8hx.exe.5.dr	Static PE information: section name: .MPRESS2
Source: 3HGHvoGBRy8IwCH7TQ5oNDqr.exe.5.dr	Static PE information: section name: .MPRESS1
Source: 3HGHvoGBRy8IwCH7TQ5oNDqr.exe.5.dr	Static PE information: section name: .MPRESS2
Source: RzZ1TAV7aob3SPZILB2zbFdV.exe.5.dr	Static PE information: section name: .MPRESS1
Source: RzZ1TAV7aob3SPZILB2zbFdV.exe.5.dr	Static PE information: section name: .MPRESS2
Source: OJ7vhB3j6tgF31VZAdyq4RWP.exe.5.dr	Static PE information: section name: .MPRESS1
Source: OJ7vhB3j6tgF31VZAdyq4RWP.exe.5.dr	Static PE information: section name: .MPRESS2
Source: rtlA3jJ7xsOUFL3iCVOy5VBX.exe.5.dr	Static PE information: section name: .MPRESS1
Source: rtlA3jJ7xsOUFL3iCVOy5VBX.exe.5.dr	Static PE information: section name: .MPRESS2
Source: r55PiUKSNGOgvzmsIZLcQBwY.exe.5.dr	Static PE information: section name: .MPRESS1
Source: r55PiUKSNGOgvzmsIZLcQBwY.exe.5.dr	Static PE information: section name: .MPRESS2
Source: hoW8r777x85abjsyeaeHujqA.exe.5.dr	Static PE information: section name: .MPRESS1
Source: hoW8r777x85abjsyeaeHujqA.exe.5.dr	Static PE information: section name: .MPRESS2
Source: Pz85N0MYtRF424XKuyeCstGT.exe.5.dr	Static PE information: section name: .MPRESS1
Source: Pz85N0MYtRF424XKuyeCstGT.exe.5.dr	Static PE information: section name: .MPRESS2
Source: rHhLiL9gsoGNTac83qTQnAj1.exe.5.dr	Static PE information: section name: .MPRESS1
Source: rHhLiL9gsoGNTac83qTQnAj1.exe.5.dr	Static PE information: section name: .MPRESS2
Source: ggByZtgEK7bPtlfPMmThjScy.exe.5.dr	Static PE information: section name: .MPRESS1
Source: ggByZtgEK7bPtlfPMmThjScy.exe.5.dr	Static PE information: section name: .MPRESS2

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\74fa486WVX.exe	Code function: 0_2_00007FFD9B87B21A push eax; ret	0_2_00007FFD9B87B239
Source: C:\Users\user\Desktop\74fa486WVX.exe	Code function: 0_2_00007FFD9B95026B push esp; retf 4810h	0_2_00007FFD9B950312
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0042D355 push esi; ret	10_2_0042D35E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_00409D06 push ecx; ret	10_2_00409D19
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_004275A4 push eax; ret	10_2_004275C2
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_004097B6 push ecx; ret	10_2_004097C9
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_01A839D7 push 2B991403h; ret	10_2_01A839DE
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_01A842FC push 00000061h; retf	10_2_01A84304
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_01A83CED pushad ; retf	10_2_01A83CF4
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_01A824C8 push ecx; iretd	10_2_01A824DA
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_01A8143E pushad ; retf	10_2_01A8143F
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_01A85760 push ebp; iretd	10_2_01A85793
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_036ACB2D push esp; retf	10_2_036ACB2E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_03699A1D push ecx; ret	10_2_03699A30
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_036B780B push eax; ret	10_2_036B7829
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_03699F6D push ecx; ret	10_2_03699F80
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_036AC52F push esp; retf	10_2_036AC537
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_036B1CA2 push dword ptr [esp+ecx-75h]; iretd	10_2_036B1CA6
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_004176C5 push ecx; ret	13_2_004176D8
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6834B536 push ecx; ret	13_2_6834B549

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\R44UL53NQLGR3F7y7U28BpiH.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\zO9gad4LUylgyGPVRTWG8XxZ.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\B_ZsWiDuQ1HQu1VXW6MeJxTk.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\f57Lg9cgmr2hMVAKkSa_5EEF.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\VCXaLRhnoJXqomdTeXblGJRq.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\mznEpIhRkhM45E5OaaApcXfQ.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\vul6UV08p0GCWyLDpSq_XRJi.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\5dDTPXBIdh37AT9JvHe3v9T2.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\mxtAV4l73Uek6ZcBcswMxsWp.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\cKoRtgFSDiCuW_NV2IeUEpEE.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\gO9wCBet6czWaf0NsZO_UTnB.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\OUtbmIGo9QOLW9Uv4N_RuEES.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\jmOGnNVL64Ek76qrYZVKlVw5.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\CCN3NQ4YsQxXhtmcSRpYcrYn.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\UXEo4_JR3JVOwMMHAOLzMKdh.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\JDyfRu1CTD86cboIGUzDhQmu.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\eTZIluMEeXg0MQ7rXsqUwQJd.exe	Jump to dropped file

Drops PE files

Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\VlXwxkChbaUTvh7hyepXHnCW.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\mznEpIhRkhM45E5OaaApcXfQ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\hF86uNIlujuYkRxMrMiHYFp6.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\vul6UV08p0GCWyLDpSq_XRJi.exe	Jump to dropped file
Source: C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954341577984.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\QgjLXNBsCJHtPeO6W8lYpPOC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\mbmPnV0wgL2OU39u2KeIn4Tf.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\jMOiuIuR2FEmGKaDZ419BomJ.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Default12_bake[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\RzZ1TAV7aob3SPZILB2zbFdV.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\qemktTHoQLUy5osCZbbDQLZi.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\xvOK71VIriJJFg16EAEdNnAh.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\FJmG3iFgWaQPL74KtLfPUV2W.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\pskPlxWRb1OP2eREIs2IGshL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\EPLdILIsM6WsgQ8tbaADcwbp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\SXmHoxZqoBYkuUqiuazKgSQI.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Retailer_prog[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\6AsVyY9hcVg6BrRB3XAxmLRn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\aloOHvo84Sj3qHQOomdBVrke.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Space_bake[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\7sLhgPZrhq33DqeqjIszWnvq.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\0WJXemd5pQKDpgfnQ3uQfzFV.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\nFOnvesIq7VabzyMeGzHz4bu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\eXNDeRDst4kQrDZC4an0uq9f.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\Qrn1R2YnqgbObeklXgpUkoSv.exe	Jump to dropped file
Source: C:\Users\user\Pictures\ucyz2FBrS2ZmSVbb1v4MylBp.exe	File created: C:\Users\user\AppData\Local\Temp\u5v0.0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\I4tFSbDREJ1q4OXBPjSetAQW.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\V2AVPOVF5r22N991Qo613aDT.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\UypVRf8fuLSyPhJMoNRd8ByR.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe	File created: C:\Users\user\AppData\Local\Temp\7zS646E.tmp\Install.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\RVUKEWDdLyejr6mPwsQxUWTt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\JFMKbtzEUpmtpv6BsSkbHYie.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\ZDmJyG6Fh6EWKl8nRZuWAf5m.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\zA0fUzPmMHacDwoXN5o2PtEI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\IzOzMZjyTYZtcFM7Pm0M4cLM.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\X9KcMA0fkXnD1jMYOYSmfmUC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\h1WhTFqf2opjt0b0LNsNHwlA.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Pictures\ZD1fmOCLpyrjNES6gIPEm8BD.exe	File created: C:\Users\user\AppData\Local\Temp\u278.0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\CtkK9Th0aYy61u3G3eurfaVd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\3HGHvoGBRy8IwCH7TQ5oNDqr.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\CnlXvT9Id1OtAjjGE5TZpQef.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\FTcNwu7k57Kjd8usAclVAWLT.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\VCXaLRhnoJXqomdTeXblGJRq.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\alSkRSPtoedHGl3kbYeLvhn9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\adRQWxNrYlcHIbAlSbSqXWcC.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\5dDTPXBIdh37AT9JvHe3v9T2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\pBXyZagaHAQQrhw6oBm3PDRx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\6ukblLKwIGzTeTLtRG3BVQ4x.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\VOj2XP57pkkframg3VKI0bnJ.exe	Jump to dropped file
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954216548188.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\OJ7vhB3j6tgF31VZAdyq4RWP.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\MjKbwwhLAm6QGZvYnqmkVE2N.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\AKT0moXt1O8o3JAohyejb57d.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\OKqXvjJ6SNHOnbaRTxCrZkO1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\oBNS4h72HaE8OUAQKdDBeBC5.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\eTZIluMEeXg0MQ7rXsqUwQJd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\pnOUyTpcHaCPBGC0NY6Ey4tl.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Pictures\eXNDeRDst4kQrDZC4an0uq9f.exe	File created: C:\Users\user\AppData\Local\Temp\u5lo.0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\G05ti52FimNWGW59YzUlmrp6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\Bd2BFD74Ck0brD7odAkJnoBt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\QPODNwFSwgqyjs4xPBO8eifU.exe	Jump to dropped file
Source: C:\Users\user\Pictures\ucyz2FBrS2ZmSVbb1v4MylBp.exe	File created: C:\Users\user\AppData\Local\Temp\u5v0.1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\rHhLiL9gsoGNTac83qTQnAj1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\9WWcfdyLrpl90TvY0F1B4pln.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\WeDrjcmr3WuMJJgpzaKFaOUD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\4vR64vyt2Ms3IgZi0ogjOLiV.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\R44UL53NQLGR3F7y7U28BpiH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\H9FY6QTsJratO1zpWk3eILq1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\1xHPgdRbGIGh0nmHKOdvoVaq.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\FYBxmkVn6yXddha66gzvyTER.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\qdu8WOX4grlXQcWdeCVU0yog.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\rNvfkMS4HSyCWXTaphkAY6hw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\SpQS37CFNzVuKGQ66NuQrhJF.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\24PXKARoj7uC8IIGZm6izG3D.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\etOkHRpUuM9SMkMQ6XAH0iE7.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\timeSync[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\RyhY8hIGZEZNYbghQkrpaTbg.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\b6dZBaRARhr4L2hE5YvW9QS9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\ucyz2FBrS2ZmSVbb1v4MylBp.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\jmOGnNVL64Ek76qrYZVKlVw5.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\setup[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\SCzt3mZbZN8xo826kWPoGwRo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\V90iUuGNMllDGLhDIYAi2XpJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\sVO8CirTx1P1PYp8b2HKbfci.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\gtoLel5pI65r4ngPnlyHhEHj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\CTrPQEqq9NkquGou8e27KzGF.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\YPduThgkupN2YOpOSaJ8tGZ9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\XHgaLLVcBUd1pvULpJvyc8P4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\MJVuj1UoR1rh6VTfch6r7Z2Q.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\cad54ba5b01423b1af8ec10ab5719d97[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\mxtAV4l73Uek6ZcBcswMxsWp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\KpOMcUg7xZgdhNcAMeG69WU2.exe	Jump to dropped file
Source: C:\Users\user\Pictures\ZD1fmOCLpyrjNES6gIPEm8BD.exe	File created: C:\Users\user\AppData\Local\Temp\u278.1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\nCYFrpV4mlYXszmCzZcWov48.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe	File created: C:\Users\user\AppData\Local\Temp\7zS646E.tmp\appidpolicyconverter.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\IZNKVd1kbYfgYPSMbP2rCCcY.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\TovDrAS4ZVzdikDIaBscZdIr.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\UXEo4_JR3JVOwMMHAOLzMKdh.exe	Jump to dropped file
Source: C:\Users\user\Pictures\RyhY8hIGZEZNYbghQkrpaTbg.exe	File created: C:\Users\user\AppData\Local\Temp\u2d8.0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\HZsXoAGbQU5SkUVczYhPFgdu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\bElHT2p4mbKwAdc6T7e7obO9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\htIsZjTfZjZuBCB42w6u1DiT.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\xrRbZ93UaIlKIAwJZbwRmUAC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\AMlJjVHZqAEewXFRbgXzmomQ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\ijiJmUl37TiXc19MRa9D6Pyf.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\bzUgMjyvpHyaWTvY7ESS9DNs.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\2Do1I89wRECQJCwpROH5lsmE.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\L3lOBa8F6zHswmHocPmpzPVx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\h41311GNENEXjAgagC9IQvg1.exe	Jump to dropped file
Source: C:\Users\user\Pictures\aLJAULt319f3yelZ9yHcLLmp.exe	File created: C:\Users\user\AppData\Local\Temp\u2cs.1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\zjh0hj0NnUHk9L2TMnVQJLTW.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\eNZuh4jTt1bdaHvl1ntSilXD.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\B_ZsWiDuQ1HQu1VXW6MeJxTk.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\9QZdGUAgvWsOeyrhldqGqEJH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\snaftQ9InX6HRaN4agnWr7Oj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\jqR2QuJF62nOkasEDCKDfLZp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\GrRnDlZrJNXE160lL6oowS1v.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\l6tkmwjdUErRj2XjAOLUSPtS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\RmGMH6bPe7yrJJoAPjx4QuVn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\EMeQ5ybqCaVICeTV8FEwhv9X.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\0539f2UvFHQYMmDfLH9ZSkIn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\oUULp12GYXlzmDfya60TW4IB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\I8DoKYH21jtp8BdbZVeMJM7i.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\rules[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Pictures\GnP27p1NAAqpGRO5fkWggl4G.exe	File created: C:\Users\user\AppData\Local\Temp\u57c.1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\Pz85N0MYtRF424XKuyeCstGT.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\TQgruOoGIXZNEz8bpXbMq0nS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\pXp5egQPwPtigEhyIRDfaa6E.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\jyloIqTsPwfd1DkPDg38NoEm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\ggByZtgEK7bPtlfPMmThjScy.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\k37bNecnFhzJYNbz2EjRPf6F.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\7vhWkFWbVXTTdk4fousAZMn2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\PGehWkLSodA6wqRR58MqY3mA.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\ZD1fmOCLpyrjNES6gIPEm8BD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\ooW8x8YXbJUVFdOrFtVcRBS2.exe	Jump to dropped file
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	File created: C:\Users\user\AppData\Local\Temp\u5tg.1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\VEQ8LMeIaTugtpLzMiDcku0u.exe	Jump to dropped file
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Assistant_109.0.5097.45_Setup[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\jqS6NbkET5D7SNZCeWEWCENG.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\ayrlXxluNGxfC55JVvCrmVJC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\JS7F5l4X9VGfxhvIDALgQP2l.exe	Jump to dropped file
Source: C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Opera_109.0.5097.45_Autoupdate_x64[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\01Zkr9Pqv75RBBPAfRuOcR8W.exe	Jump to dropped file
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154301\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\jtig5U7Vd159jKkbKgnsA1kJ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe	File created: C:\Users\user\AppData\Local\Temp\u2e8.1.exe	Jump to dropped file
Source: C:\Users\user\Pictures\eXNDeRDst4kQrDZC4an0uq9f.exe	File created: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\060[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\aLJAULt319f3yelZ9yHcLLmp.exe	File created: C:\Users\user\AppData\Local\Temp\u2cs.0.exe	Jump to dropped file
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Opera_109.0.5097.45_Autoupdate_x64[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe	File created: C:\Users\user\AppData\Local\Temp\u4n4.0.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\cKoRtgFSDiCuW_NV2IeUEpEE.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\RztCbUmZBnVI5vwgknk1v9gl.exe	Jump to dropped file
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154301\additional_file0.tmp	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\mZqNoUl7rhg7VWVjaV8Vy4BF.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\r55PiUKSNGOgvzmsIZLcQBwY.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\ORwSCErwlmZJgHX8RlZwnqzW.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\hbVjMJXKMfxChI8EPArRZgag.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\ZYbPkvE7LZq1cVMPf9tyCNrQ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\hoW8r777x85abjsyeaeHujqA.exe	Jump to dropped file
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154301\opera_package	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\CnG6dLLwYA6vpF8PXyp0C2h8.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\0tJmsjsuq861nw8wVciecU0e.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\ypf7cFVwcCjj0PNuLkMGitSU.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\123p[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\dHD69e5qJhcFRsXZFXD35fUF.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\w7ux7hHqzwEHHcNpdIZHi9kH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\arSoWf1Ec1I4geYHHWR5UtYB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\jHIeGCiObkRJMFj5XmJJdsLE.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\JDyfRu1CTD86cboIGUzDhQmu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\gAPxIrnhSeyospIFCtyklTjE.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\GAzYt7CA0m8wlIqsNbXSFLHn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\eEb1TKqbCVZy7sUcB7UxVvtM.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\kNL4FzXHKA5mrztWPDWWEYhW.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe	File created: C:\Users\user\AppData\Local\Temp\7zS646E.tmp\ARP.EXE	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\5FQtA1wucts8Yrqmv9O6idz6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\7tTJzEy4dI9u65vrU8cvsIiD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\T5v8y5uHNNaBu14RKQEK9PkF.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\vOFejnruMTlhsY9VyWYBwVmV.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\kRPiGZLG56ufjAxHMDmGvftT.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\Pqxb61GGMG9M5KXBMaSXHEQD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\649FP6erIG3uUfhR0wTmAGh3.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\4p3nYystUOj2tUSsjPXXVQ54.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\y7ZbSuax0faSHVlRSXixHqe0.exe	Jump to dropped file
Source: C:\Users\user\Pictures\LnpUuX1UZxpX7wm3ojkkhPdD.exe	File created: C:\Users\user\AppData\Local\Temp\u220.0.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\OUtbmIGo9QOLW9Uv4N_RuEES.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\eOQyZOmKZuhuxvZPOmSz9XIB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\vsNuRbeEydzbcooHujxzNFkQ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\rtlA3jJ7xsOUFL3iCVOy5VBX.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\AWDjsZTWMbVQLKjK75X6Ig96.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\BZDlDTS67jORikSmtG0MWK6M.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\JaHbmxTJGIb2iDrWZTTyHXge.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\YLxl1OEtHJfohB8PRbEA6Xn4.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe	File created: C:\Users\user\AppData\Local\Temp\7zS646E.tmp\hh.exe	Jump to dropped file
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	File created: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\CW6WN5mFGU6H5K7sHvG367nH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\E626JU8WedF91dS47oNi5eLU.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\SfOYkUNot9JLY7LapPJ23zRc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\5IilnjrSxfPpByYnmbIawdwK.exe	Jump to dropped file
Source: C:\Users\user\Pictures\GnP27p1NAAqpGRO5fkWggl4G.exe	File created: C:\Users\user\AppData\Local\Temp\u57c.0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\MYxgPYtwBMLOAVSYtyBdW27o.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\gO9wCBet6czWaf0NsZO_UTnB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\aRHPnT4fdMoAto9EHowTCiai.exe	Jump to dropped file
Source: C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe	File created: C:\Users\user\AppData\Local\Temp\u4n4.1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\saOGw7GRWxI3UtHmlqck8d4L.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\zO9gad4LUylgyGPVRTWG8XxZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\mBtSJYnuhrFLvY2MJBfJ6zCY.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\55U4oAfoSKfHUd9zgALXnYnz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\JoYGPFg75QERifE5RbK9hGgW.exe	Jump to dropped file
Source: C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe	File created: C:\Users\user\AppData\Local\Temp\u2e8.0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\JHCkwUJwo6Iltf50o60nZ8hx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\nyUGUKSZmuHor89NvumnpHYu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\MudDF159gEyKHU6eFD2BtmnO.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\grabber[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\rSrR1mkcaBul2YC2PFGskQPW.exe	Jump to dropped file
Source: C:\Users\user\Pictures\LnpUuX1UZxpX7wm3ojkkhPdD.exe	File created: C:\Users\user\AppData\Local\Temp\u220.1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\RpHTCBF8eeEyMMzamuo6vUfe.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\setup294[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\f57Lg9cgmr2hMVAKkSa_5EEF.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\HpBGGaTzXG4lEftpe85oGMCk.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\RuyjNg2h2rPzCAYgnDzC7oDR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\sbZAAkQuPWrpuYdmYbORf9Y6.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\4fce60ee[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\CCN3NQ4YsQxXhtmcSRpYcrYn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\vRRe41RxUVbUBnvAaNdID0sa.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\2HHKIWZutF51ekTbTCJmdsQD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\QG18GgqwuMudz8t1bQkf58tD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\r1KZ4j7DDLzJ3DZwbwpdXSKJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\zWBqjxGqSREVGD26eOWqbKie.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\aLJAULt319f3yelZ9yHcLLmp.exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe

File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154301\opera_package

Jump to dropped file

Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240420115425810.log
Source: C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240420115438068.log

Boot Survival

Drops script or batch files to the startup folder

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nhx5TTx8BWaYdt3v9Zin2ufd.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NdG5xSXEWKQu8H8iO0gXD2p1.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5nc8XYGVyOnuMthvpexBIovW.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NcKTUiU5jFdf7RJr7VZKxsgJ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RTFGXR1f6AYMAtRAYLrbBepJ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QLxQvptvIpMcDvpBNhpgcTvI.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SyxWIL4eXEgqlzJd3RLHkcJa.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gqTE0qzWFdMgkm2k2WK2aIq7.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YENFsb4lYGCijl81Q7SfaefJ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rY6E4Gs3jEGBRFaPpIs7DKgP.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PbCUU14FxUISAVQuI7nWKl5R.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zFDseCbDMOHvLXAt2pOQ5G5W.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4f5J2d20gETPmAS25L8xjXCj.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ARGlgVRlZ1nHMB1HXf6NWV86.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z64ZNBCdwZOivzI0z0oPuzAK.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F9R0fNIwTt2qPb95TsKTBSmc.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gM5rpYrK1E69YnNsMW5vDOic.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jFRSdC0NaKw2msT8rBR3VnHr.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cWtsAugWsNvwFllMg6qlK7vV.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FP8bLIflOfyG9UrrdqLDCbKa.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xcDb5xB1c13HYCYmZ5EbVv13.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nwoguMajuijJKgJdnkYe0PDX.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BiCV7UCBlJ8ytE185N81kSVr.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yAhv6uXYlmQXl2hy5ZrFO0fC.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tBJgiubYQlVusUpNViDn9cUb.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fF8sgdftNVyS7EUoMAAvIahV.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13n2VnF7KmWTzhbPEXQgT6W6.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RNr5FOyYK8K1m51GBIDLS7rK.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q7WnlqIT7fqnlhV4k6saTK0C.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f7U3BBxTfhfxHiv1EpXZR1XX.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fknIFBlnb18ls2xfhLP2kwtZ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EnMFrukEsyw89UQkJERrN7aG.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L5A5WLN6BevQJur0RFFBQadQ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3MDVq71X3FLA3LYzeG9NG9Kd.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e2dRc5Rv3nbcecgcurBUECdQ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MEhHqhTdrPU9QgqZCJ3yEdjE.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sIN5mpqtedBXFGr6StDTVG6D.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6OW96yysMxyB8gUH0ZeMPtQT.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vpDRS27mLKhb2E1QZSP6kCZQ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bFX1RNiufLA1HSLka4U7HdR7.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iczq6tkI09NTMQiyW7qC31ic.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1AurkCxOayUMVb21jI7ZR7XI.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uIS3Lx9T9YKmRwDZoVAzBqpa.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AtaA3Va5TrUk93MFn3fVMueJ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2OKtqdom8RFgzLmhpzt79HIC.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NfmSyNewWnMuVMkAZ67Hgl7o.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q7WQNR99VrMnjGcoFH5RvJi9.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JDpIf3k5qpnhTQFbTx3LkYzM.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0ubCN0EnMhpbd0TzRf4EeeM3.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kAYxMgX4i0DNjmbzeW1Je0d5.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nAlXV3CaCyCQR4uP8FCPMhlh.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\W55tu9i15Es17Eoy2h73dCN9.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8Hek4eibimeaycQo5bth630p.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rkIPYs1Us6G6obgvwSPN7AG4.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\N01X2KxqdOsokI4InlgECwtt.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5LQWMKO8XBjkNXRVdU6jIakG.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zXUuyEkERzTF7JdAdXBuDCPd.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d5pQexeoxgwIWIxDuVynECax.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7hqYOxsqNf7Ts5CjucwDnxVL.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WAOpRz6Z1DCPxrubDVTnaDOr.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8RSUg6Y4BkSQOy7rhDcj0FYJ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GFouAb2rMTeYtthloCcq3V2h.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ISzojIyuRQyHUenekXWCti0a.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uhLK6GOFpp88GYF2e0yeY7x9.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DmrOdx6P4taC1oOvw1InqwVE.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SbaVIUvJakWEgHdGYkNyn8sj.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zNL7pHlDBOAP6Pl14pX6rhwU.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6EB2umPLs7OytyPt4YYCEx0.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uEZWznN76BFdjVG2JZfdvUDw.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ueLbKqP5iyO5fxLGI0bJjhct.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iuUAFLVOfDbDW1qjb1cde2uH.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\v1wcfFPtK6WJakcRKMYN0Dym.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oM7eI5EMqLNREyqHsA1PuffZ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecCJK8Os72e8nX9U9MJ3B8rq.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gvOGF0e3ilPNACaVM9y4P3iH.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cxGWf6g7Tqujg5PVQcViCX8m.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\evfrhnV3zWcCqKtYnwtb8kN3.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gDd2TM6KvrsKu9nvBL0YvSaJ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cTmTceKcNw4zzgHGnQVCfJte.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uaJrZOfHrFFMNLAzWJiFxKpd.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oE8mMUqKndauAy47hKJzJTkG.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pmxrOKYTjHwrQDXWRAQNQ3Gl.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3vsGmETfFEdnqjREW1N0JsED.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7J02TzwsIZpMKUm4JKSlOtyX.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ln287cl5zqZUOQ09NLuGFOgv.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BqEKwKLMf8AXTw2S0d3yG0qc.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\znVSBPQNUcUccPZCsKUfpDLT.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NgDwaHUTvsayZnYhdZd2TXFE.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FmOMXeiu31wZE5UKmRsl6GaO.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QM3P3TJ8M9dp4woKHSr4IAs6.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JHMlXsYgQdfzBHXNLiHpb65s.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FWUrWxI0a9j163h8LPyxqHaE.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B30XtbNCHCpnw5qmBVmEB7zp.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JgQgO4NsZsYRypnOb6qAVCX3.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Vaxk8wtTvDbvKL8YWeTRCzTN.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qRjPfUrz75IJy1Acr8jkVWds.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZCzgcdlWkVWSOObx3iXMxTG2.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d5mrt56cnOawavbCjeU2teAU.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZWzaxr64IASc6ik5dJr4a48v.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RtyWyCd7pakzufNd6GrI3ylX.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PVlZ4JHv4nt1jE0U0j46ZvRU.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Y0dtUw2eERZhGiCfTXoItjJq.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9u9dXULeXHK15kBaj0M4uCEY.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\55R42Z89GeuBPGqfLpjlY6ZN.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmiS9J0tBJ6uJhUH23PospdU.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4sRFgaUJaJhOA9r29eA3NgAv.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AJisa0BkGOPIcervnBUl4nXu.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cktWDzHHdibILrWAe0M2Gczx.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pUHEbeo9v6qQqBvkmEWXbg3y.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qwJGV26WwyQ0GpgQHHo3Dij6.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XwRqUgvYwonTHZW8VGpqECut.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zsbpOEozKQyNrBH3GbSfkb5w.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HUhCCrZvY1BwXlWVkdBPgxLM.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d72XvSxcGC4atOkviZwZt7DK.bat	Jump to dropped file

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\Pictures\RztCbUmZBnVI5vwgknk1v9gl.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Pictures\RztCbUmZBnVI5vwgknk1v9gl.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Pictures\RztCbUmZBnVI5vwgknk1v9gl.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\Pictures\oBwm3xYVYadvvyPM22CjpgTr.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Pictures\oBwm3xYVYadvvyPM22CjpgTr.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Pictures\oBwm3xYVYadvvyPM22CjpgTr.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\Pictures\l6tkmwjdUErRj2XjAOLUSPtS.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Pictures\l6tkmwjdUErRj2XjAOLUSPtS.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Pictures\l6tkmwjdUErRj2XjAOLUSPtS.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\Pictures\VOj2XP57pkkframg3VKI0bnJ.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Pictures\VOj2XP57pkkframg3VKI0bnJ.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Pictures\VOj2XP57pkkframg3VKI0bnJ.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\Pictures\snaftQ9InX6HRaN4agnWr7Oj.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Pictures\snaftQ9InX6HRaN4agnWr7Oj.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Pictures\snaftQ9InX6HRaN4agnWr7Oj.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	Window searched: window name: RegmonClass

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nhx5TTx8BWaYdt3v9Zin2ufd.bat

Jump to behavior

Creates or modifies windows services

Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules

Stores files to the Windows start menu directory

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nhx5TTx8BWaYdt3v9Zin2ufd.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JDpIf3k5qpnhTQFbTx3LkYzM.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0ubCN0EnMhpbd0TzRf4EeeM3.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7hqYOxsqNf7Ts5CjucwDnxVL.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WAOpRz6Z1DCPxrubDVTnaDOr.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6EB2umPLs7OytyPt4YYCEx0.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uEZWznN76BFdjVG2JZfdvUDw.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uaJrZOfHrFFMNLAzWJiFxKpd.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FmOMXeiu31wZE5UKmRsl6GaO.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QM3P3TJ8M9dp4woKHSr4IAs6.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JHMlXsYgQdfzBHXNLiHpb65s.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qRjPfUrz75IJy1Acr8jkVWds.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RtyWyCd7pakzufNd6GrI3ylX.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PVlZ4JHv4nt1jE0U0j46ZvRU.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Y0dtUw2eERZhGiCfTXoItjJq.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9u9dXULeXHK15kBaj0M4uCEY.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4sRFgaUJaJhOA9r29eA3NgAv.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zsbpOEozKQyNrBH3GbSfkb5w.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XwRqUgvYwonTHZW8VGpqECut.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d72XvSxcGC4atOkviZwZt7DK.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HUhCCrZvY1BwXlWVkdBPgxLM.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iczq6tkI09NTMQiyW7qC31ic.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NfmSyNewWnMuVMkAZ67Hgl7o.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nAlXV3CaCyCQR4uP8FCPMhlh.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8Hek4eibimeaycQo5bth630p.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zXUuyEkERzTF7JdAdXBuDCPd.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5LQWMKO8XBjkNXRVdU6jIakG.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SbaVIUvJakWEgHdGYkNyn8sj.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\evfrhnV3zWcCqKtYnwtb8kN3.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cTmTceKcNw4zzgHGnQVCfJte.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gvOGF0e3ilPNACaVM9y4P3iH.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pmxrOKYTjHwrQDXWRAQNQ3Gl.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ln287cl5zqZUOQ09NLuGFOgv.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JgQgO4NsZsYRypnOb6qAVCX3.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d5mrt56cnOawavbCjeU2teAU.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmiS9J0tBJ6uJhUH23PospdU.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\55R42Z89GeuBPGqfLpjlY6ZN.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AJisa0BkGOPIcervnBUl4nXu.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cktWDzHHdibILrWAe0M2Gczx.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qwJGV26WwyQ0GpgQHHo3Dij6.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pUHEbeo9v6qQqBvkmEWXbg3y.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FP8bLIflOfyG9UrrdqLDCbKa.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tBJgiubYQlVusUpNViDn9cUb.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fknIFBlnb18ls2xfhLP2kwtZ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e2dRc5Rv3nbcecgcurBUECdQ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bFX1RNiufLA1HSLka4U7HdR7.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uIS3Lx9T9YKmRwDZoVAzBqpa.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kAYxMgX4i0DNjmbzeW1Je0d5.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d5pQexeoxgwIWIxDuVynECax.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GFouAb2rMTeYtthloCcq3V2h.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uhLK6GOFpp88GYF2e0yeY7x9.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zNL7pHlDBOAP6Pl14pX6rhwU.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iuUAFLVOfDbDW1qjb1cde2uH.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oM7eI5EMqLNREyqHsA1PuffZ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cxGWf6g7Tqujg5PVQcViCX8m.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gDd2TM6KvrsKu9nvBL0YvSaJ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3vsGmETfFEdnqjREW1N0JsED.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BqEKwKLMf8AXTw2S0d3yG0qc.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NgDwaHUTvsayZnYhdZd2TXFE.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FWUrWxI0a9j163h8LPyxqHaE.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B30XtbNCHCpnw5qmBVmEB7zp.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Vaxk8wtTvDbvKL8YWeTRCzTN.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZCzgcdlWkVWSOObx3iXMxTG2.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZWzaxr64IASc6ik5dJr4a48v.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SyxWIL4eXEgqlzJd3RLHkcJa.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YENFsb4lYGCijl81Q7SfaefJ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rY6E4Gs3jEGBRFaPpIs7DKgP.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zFDseCbDMOHvLXAt2pOQ5G5W.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ARGlgVRlZ1nHMB1HXf6NWV86.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F9R0fNIwTt2qPb95TsKTBSmc.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jFRSdC0NaKw2msT8rBR3VnHr.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xcDb5xB1c13HYCYmZ5EbVv13.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BiCV7UCBlJ8ytE185N81kSVr.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fF8sgdftNVyS7EUoMAAvIahV.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RNr5FOyYK8K1m51GBIDLS7rK.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f7U3BBxTfhfxHiv1EpXZR1XX.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L5A5WLN6BevQJur0RFFBQadQ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MEhHqhTdrPU9QgqZCJ3yEdjE.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sIN5mpqtedBXFGr6StDTVG6D.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vpDRS27mLKhb2E1QZSP6kCZQ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1AurkCxOayUMVb21jI7ZR7XI.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AtaA3Va5TrUk93MFn3fVMueJ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2OKtqdom8RFgzLmhpzt79HIC.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q7WQNR99VrMnjGcoFH5RvJi9.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\W55tu9i15Es17Eoy2h73dCN9.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rkIPYs1Us6G6obgvwSPN7AG4.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\N01X2KxqdOsokI4InlgECwtt.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8RSUg6Y4BkSQOy7rhDcj0FYJ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ISzojIyuRQyHUenekXWCti0a.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DmrOdx6P4taC1oOvw1InqwVE.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ueLbKqP5iyO5fxLGI0bJjhct.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\v1wcfFPtK6WJakcRKMYN0Dym.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecCJK8Os72e8nX9U9MJ3B8rq.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oE8mMUqKndauAy47hKJzJTkG.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7J02TzwsIZpMKUm4JKSlOtyX.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\znVSBPQNUcUccPZCsKUfpDLT.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NdG5xSXEWKQu8H8iO0gXD2p1.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5nc8XYGVyOnuMthvpexBIovW.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NcKTUiU5jFdf7RJr7VZKxsgJ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RTFGXR1f6AYMAtRAYLrbBepJ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QLxQvptvIpMcDvpBNhpgcTvI.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gqTE0qzWFdMgkm2k2WK2aIq7.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PbCUU14FxUISAVQuI7nWKl5R.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4f5J2d20gETPmAS25L8xjXCj.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z64ZNBCdwZOivzI0z0oPuzAK.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gM5rpYrK1E69YnNsMW5vDOic.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cWtsAugWsNvwFllMg6qlK7vV.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nwoguMajuijJKgJdnkYe0PDX.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yAhv6uXYlmQXl2hy5ZrFO0fC.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13n2VnF7KmWTzhbPEXQgT6W6.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q7WnlqIT7fqnlhV4k6saTK0C.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EnMFrukEsyw89UQkJERrN7aG.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3MDVq71X3FLA3LYzeG9NG9Kd.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6OW96yysMxyB8gUH0ZeMPtQT.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZNl1hGnM7Ck5qnGG4Lqedvfc.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fBWegOFosJ3pP9m8YXnI1rn3.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qkqtATvodwaitOmISTJIvmcA.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gEZABo9syj5GDbPAeoHZCpmq.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fKRA0ZBperXNlcylBqDbDN0p.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\21nHUWOteT2KapomJmHyvw9z.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HXR4OVEG2yDKAj2k5Dt5mipQ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\y77D8WyjrBPD491vFsSECZ7c.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FbCHe2uZ9ekV1INKkX0Rtkma.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tlAzq4sezmwr6pvnPn4xiToR.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FnYbG0Za6tyKgzL1Rbj8UtR0.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NRaZnpQRZ6jCKqPrTbTAzg2l.bat	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe

Code function: 10_2_00408761 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

10_2_00408761

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Stores large binary data to the registry

Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob

Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\eXNDeRDst4kQrDZC4an0uq9f.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\LnpUuX1UZxpX7wm3ojkkhPdD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\0Q5dKppSpEUoGQyfKKa0z3T3.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Pictures\0Q5dKppSpEUoGQyfKKa0z3T3.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\0Q5dKppSpEUoGQyfKKa0z3T3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\0Q5dKppSpEUoGQyfKKa0z3T3.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\BqrcKabb3rjHWiGgZhhaSqKx.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Pictures\BqrcKabb3rjHWiGgZhhaSqKx.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\BqrcKabb3rjHWiGgZhhaSqKx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\BqrcKabb3rjHWiGgZhhaSqKx.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\GnP27p1NAAqpGRO5fkWggl4G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\aLJAULt319f3yelZ9yHcLLmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\ucyz2FBrS2ZmSVbb1v4MylBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\ZD1fmOCLpyrjNES6gIPEm8BD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\pBXyZagaHAQQrhw6oBm3PDRx.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Pictures\pBXyZagaHAQQrhw6oBm3PDRx.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\pBXyZagaHAQQrhw6oBm3PDRx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\pBXyZagaHAQQrhw6oBm3PDRx.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\RyhY8hIGZEZNYbghQkrpaTbg.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: 74fa486WVX.exe PID: 6560, type: MEMORYSTR

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\Pictures\RztCbUmZBnVI5vwgknk1v9gl.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\Pictures\oBwm3xYVYadvvyPM22CjpgTr.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\Pictures\l6tkmwjdUErRj2XjAOLUSPtS.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\Pictures\VOj2XP57pkkframg3VKI0bnJ.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\Pictures\snaftQ9InX6HRaN4agnWr7Oj.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\Pictures\RztCbUmZBnVI5vwgknk1v9gl.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\Pictures\oBwm3xYVYadvvyPM22CjpgTr.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\Pictures\l6tkmwjdUErRj2XjAOLUSPtS.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\Pictures\VOj2XP57pkkframg3VKI0bnJ.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\Pictures\snaftQ9InX6HRaN4agnWr7Oj.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 74fa486WVX.exe, 00000000.00000002.2151703138.00000220285DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: 74fa486WVX.exe, 00000000.00000002.2151703138.00000220285DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\74fa486WVX.exe	Memory allocated: 22026AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Memory allocated: 220405A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 3090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 3310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 3090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 7C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 6F70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 9CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: ACC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: C270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: D4F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: E4F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: F4F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 10C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 11C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 13C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 15C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 1E500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 1F500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 20190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 21590000 memory reserve \| memory write watch	Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599871	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599762	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599653	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599507	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599314	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599180	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598388	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598170	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598058	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597488	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597364	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596540	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596409	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Thread delayed: delay time: 300000

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6144	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3566	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Window / User API: threadDelayed 5316	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Window / User API: threadDelayed 4355	Jump to behavior
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Window / User API: threadDelayed 899
Source: C:\Users\user\AppData\Local\Temp\u220.0.exe	Window / User API: threadDelayed 390

Found decision node followed by non-executed suspicious APIs

Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\zjh0hj0NnUHk9L2TMnVQJLTW.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS646E.tmp\ARP.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\G05ti52FimNWGW59YzUlmrp6.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\B_ZsWiDuQ1HQu1VXW6MeJxTk.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\mznEpIhRkhM45E5OaaApcXfQ.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\vul6UV08p0GCWyLDpSq_XRJi.exe	Jump to dropped file
Source: C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954341577984.dll	Jump to dropped file
Source: C:\Users\user\Pictures\ucyz2FBrS2ZmSVbb1v4MylBp.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u5v0.1.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\OUtbmIGo9QOLW9Uv4N_RuEES.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Default12_bake[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\EMeQ5ybqCaVICeTV8FEwhv9X.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\I8DoKYH21jtp8BdbZVeMJM7i.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\rules[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\xvOK71VIriJJFg16EAEdNnAh.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Pictures\GnP27p1NAAqpGRO5fkWggl4G.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u57c.1.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\R44UL53NQLGR3F7y7U28BpiH.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS646E.tmp\hh.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Retailer_prog[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\SXmHoxZqoBYkuUqiuazKgSQI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\aloOHvo84Sj3qHQOomdBVrke.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\E626JU8WedF91dS47oNi5eLU.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Space_bake[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\timeSync[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\k37bNecnFhzJYNbz2EjRPf6F.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\gO9wCBet6czWaf0NsZO_UTnB.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\jmOGnNVL64Ek76qrYZVKlVw5.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\setup[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u5tg.1.exe	Jump to dropped file
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Assistant_109.0.5097.45_Setup[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\ayrlXxluNGxfC55JVvCrmVJC.exe	Jump to dropped file
Source: C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u4n4.1.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\zO9gad4LUylgyGPVRTWG8XxZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\saOGw7GRWxI3UtHmlqck8d4L.exe	Jump to dropped file
Source: C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Opera_109.0.5097.45_Autoupdate_x64[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154301\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe (copy)	Jump to dropped file
Source: C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u2e8.1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Pictures\eXNDeRDst4kQrDZC4an0uq9f.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\060[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS646E.tmp\Install.exe	Jump to dropped file
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Opera_109.0.5097.45_Autoupdate_x64[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\JFMKbtzEUpmtpv6BsSkbHYie.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\cad54ba5b01423b1af8ec10ab5719d97[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\mxtAV4l73Uek6ZcBcswMxsWp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\KpOMcUg7xZgdhNcAMeG69WU2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\zA0fUzPmMHacDwoXN5o2PtEI.exe	Jump to dropped file
Source: C:\Users\user\Pictures\ZD1fmOCLpyrjNES6gIPEm8BD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u278.1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\55U4oAfoSKfHUd9zgALXnYnz.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\cKoRtgFSDiCuW_NV2IeUEpEE.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS646E.tmp\appidpolicyconverter.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\nCYFrpV4mlYXszmCzZcWov48.exe	Jump to dropped file
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154301\additional_file0.tmp	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\UXEo4_JR3JVOwMMHAOLzMKdh.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\grabber[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\htIsZjTfZjZuBCB42w6u1DiT.exe	Jump to dropped file
Source: C:\Users\user\Pictures\LnpUuX1UZxpX7wm3ojkkhPdD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u220.1.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\setup294[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154301\opera_package	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\f57Lg9cgmr2hMVAKkSa_5EEF.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\VCXaLRhnoJXqomdTeXblGJRq.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\5dDTPXBIdh37AT9JvHe3v9T2.exe	Jump to dropped file
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954216548188.dll	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\123p[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\jHIeGCiObkRJMFj5XmJJdsLE.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\4fce60ee[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\CCN3NQ4YsQxXhtmcSRpYcrYn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\vRRe41RxUVbUBnvAaNdID0sa.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\2HHKIWZutF51ekTbTCJmdsQD.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\JDyfRu1CTD86cboIGUzDhQmu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\oBNS4h72HaE8OUAQKdDBeBC5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\eEb1TKqbCVZy7sUcB7UxVvtM.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\eTZIluMEeXg0MQ7rXsqUwQJd.exe	Jump to dropped file
Source: C:\Users\user\Pictures\aLJAULt319f3yelZ9yHcLLmp.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u2cs.1.exe	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	API coverage: 8.4 %
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	API coverage: 8.6 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7328	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -21213755684765971s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7396	Thread sleep count: 5316 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -599871s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7396	Thread sleep count: 4355 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7188	Thread sleep time: -1500000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -599762s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -599653s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -599507s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -599314s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -599180s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -598938s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -598813s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -598688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -598563s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -598388s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -598281s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -598170s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -598058s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -597938s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -597828s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -597719s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -597488s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -597364s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -597125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -597016s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -596891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -596766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -596656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -596540s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -596409s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -596296s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -596188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -596078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -595969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -595625s >= -30000s	Jump to behavior
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe TID: 8132	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe TID: 7744	Thread sleep count: 899 > 30
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe TID: 7744	Thread sleep time: -179800s >= -30000s
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe TID: 7792	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\u5lo.0.exe TID: 6380	Thread sleep count: 248 > 30
Source: C:\Users\user\AppData\Local\Temp\u5lo.0.exe TID: 6380	Thread sleep time: -1488000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\u220.0.exe TID: 6296	Thread sleep count: 390 > 30
Source: C:\Users\user\AppData\Local\Temp\u220.0.exe TID: 6296	Thread sleep time: -2340000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\74fa486WVX.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation
Source: C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	13_2_00412570
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	13_2_0040D1C0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	13_2_004015C0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	13_2_00411650
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	13_2_0040B610
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	13_2_0040DB60
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	13_2_00411B80
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	13_2_0040D540
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	13_2_004121F0

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe

Code function: 13_2_00401120 GetSystemInfo,ExitProcess,

13_2_00401120

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599871	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599762	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599653	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599507	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599314	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599180	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598388	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598170	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598058	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597488	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597364	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596540	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596409	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Thread delayed: delay time: 300000

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

Source: RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1886660867.00000000004FC000.00000004.00000020.00020000.00000000.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.1936631045.000000000046C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004419000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Server
Source: 74fa486WVX.exe, 00000000.00000002.2151703138.00000220285DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004419000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Datacenter without Hyper-V Core
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004419000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QEMU_HARDU
Source: svchost.exe, 00000010.00000003.1755240344.00000239DF044000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004419000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Standard without Hyper-V Full
Source: 74fa486WVX.exe, 00000000.00000002.2151703138.00000220285DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004419000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Enterprise without Hyper-V Core
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C73000.00000004.00000020.00020000.00000000.sdmp, u5lo.0.exe, 0000001B.00000002.2700544037.0000000001DA4000.00000004.00000020.00020000.00000000.sdmp, u5lo.0.exe, 0000001B.00000002.2700544037.0000000001DEF000.00000004.00000020.00020000.00000000.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000002.2409789476.0000000001C69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 74fa486WVX.exe, 00000000.00000002.2151703138.00000220285DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: 74fa486WVX.exe, 00000000.00000002.2151703138.00000220285DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004419000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMWARE_VIRTUAL
Source: 74fa486WVX.exe, 00000000.00000002.2151703138.00000220285DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: 74fa486WVX.exe, 00000000.00000002.2151703138.00000220285DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: u5tg.0.exe, 0000000D.00000002.2470929452.0000000001BFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwaren
Source: jsc.exe, 00000005.00000002.2486782227.0000000001655000.00000004.00000020.00020000.00000000.sdmp, aD6tv7fY2lQHgM7IuiL9Hw1Z.exe, 0000000A.00000003.2116998473.0000000001B3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000002.2466250043.0000000003830000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW[.g.
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004419000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6without Hyper-V for Windows Essential Server Solutions
Source: 74fa486WVX.exe, 00000000.00000002.2151703138.00000220285DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: 74fa486WVX.exe, 00000000.00000002.2151703138.00000220285DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: 74fa486WVX.exe, 00000000.00000002.2151703138.00000220285DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: 74fa486WVX.exe, 00000000.00000002.2151703138.00000220285DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1847485407.00000000047FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ummBLURRRdyRAIz=SSG xw ziJMKylBQjj rqgvvNhANawnpPyOEszKceZbMcijpIMPLVNkcKeTOxRnMLWKeFfirxWBbM GRirNHnzbxFjQSxdfDXVJcqhjAkGtsILZdCAKsHPkgbhQwDtPRkEsIu eocIuEquxacsrKpQqFmqiQmpbNuHnI lHYrLaXhlH JaWvGIVmDSaCCNxlG EekIqxNn MOwYgDgwKIAXPcdnwBSMh riVazwkyPdInguzNgpOATkKMQQtkbHMImMAEYCkhqAurdsHhQEMUOs;
Source: LnpUuX1UZxpX7wm3ojkkhPdD.exe, 00000012.00000002.2588799253.0000000003817000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWQ
Source: u5lo.0.exe, 0000001B.00000002.2691208486.0000000001D7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: svchost.exe, 0000000F.00000002.2069061625.0000020C91202000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000002.2525303834.0000000001BB9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllH
Source: 74fa486WVX.exe, 00000000.00000002.2151703138.00000220285DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004419000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Standard without Hyper-V Core
Source: 74fa486WVX.exe, 00000000.00000002.2151703138.00000220285DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004419000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Datacenter without Hyper-V Full
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004419000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Enterprise without Hyper-V Full

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe

System information queried: ModuleInformation

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Pictures\RztCbUmZBnVI5vwgknk1v9gl.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Pictures\oBwm3xYVYadvvyPM22CjpgTr.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Pictures\l6tkmwjdUErRj2XjAOLUSPtS.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Pictures\VOj2XP57pkkframg3VKI0bnJ.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Pictures\snaftQ9InX6HRaN4agnWr7Oj.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\74fa486WVX.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Pictures\RztCbUmZBnVI5vwgknk1v9gl.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\RztCbUmZBnVI5vwgknk1v9gl.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\RztCbUmZBnVI5vwgknk1v9gl.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Pictures\oBwm3xYVYadvvyPM22CjpgTr.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\oBwm3xYVYadvvyPM22CjpgTr.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\oBwm3xYVYadvvyPM22CjpgTr.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Pictures\l6tkmwjdUErRj2XjAOLUSPtS.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\l6tkmwjdUErRj2XjAOLUSPtS.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\l6tkmwjdUErRj2XjAOLUSPtS.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Pictures\VOj2XP57pkkframg3VKI0bnJ.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\VOj2XP57pkkframg3VKI0bnJ.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\VOj2XP57pkkframg3VKI0bnJ.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Pictures\snaftQ9InX6HRaN4agnWr7Oj.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\snaftQ9InX6HRaN4agnWr7Oj.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\snaftQ9InX6HRaN4agnWr7Oj.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe	Process queried: DebugPort

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe

Code function: 13_2_00404540 InternetOpenA,StrCmpCA,LdrInitializeThunk,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

13_2_00404540

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe

Code function: 10_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

10_2_00409A73

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe

13_2_00416240

Contains functionality to read the PEB

Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_004139E7 mov eax, dword ptr fs:[00000030h]	10_2_004139E7
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_01A7F41B push dword ptr fs:[00000030h]	10_2_01A7F41B
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0369092B mov eax, dword ptr fs:[00000030h]	10_2_0369092B
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_03690D90 mov eax, dword ptr fs:[00000030h]	10_2_03690D90
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_036A3C4E mov eax, dword ptr fs:[00000030h]	10_2_036A3C4E
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_00415DC0 mov eax, dword ptr fs:[00000030h]	13_2_00415DC0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe

Code function: 10_2_00420C1A GetProcessHeap,

10_2_00420C1A

Enables debug privileges

Source: C:\Users\user\Desktop\74fa486WVX.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00409A73
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_00409C06 SetUnhandledExceptionFilter,	10_2_00409C06
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_00409EBE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00409EBE
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0041073B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_0041073B
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0369A125 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_0369A125
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_036A09A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_036A09A2
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_03699E6D SetUnhandledExceptionFilter,	10_2_03699E6D
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_03699CDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_03699CDA
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_00419DC7 SetUnhandledExceptionFilter,	13_2_00419DC7
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_00417B4E
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_004173DD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_004173DD
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6834B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_6834B1F7
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6834B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_6834B66C

Source: C:\Users\user\Desktop\74fa486WVX.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\74fa486WVX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\74fa486WVX.exe" -Force
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\74fa486WVX.exe" -Force			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\74fa486WVX.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000 protect: page execute and read and write

Jump to behavior

Disables Windows Defender (deletes autostart)

Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe

Registry value deleted: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{8F29E178-9661-4084-8511-EE37C01FCDBF}Machine\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	NtQuerySystemInformation: Indirect: 0x1405B5929
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	NtQueryInformationProcess: Indirect: 0x14063B4CB
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	NtQueryInformationProcess: Indirect: 0x14063B33A
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	NtSetInformationThread: Indirect: 0x14063D4B0

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\74fa486WVX.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\74fa486WVX.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base address: 400000	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base address: 400000	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base address: 400000	Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe

Code function: 13_2_00415D00 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

13_2_00415D00

Writes to foreign memory regions

Source: C:\Users\user\Desktop\74fa486WVX.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 404000	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 406000	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 11E3008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\74fa486WVX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\74fa486WVX.exe" -Force	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe "C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe "C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\RztCbUmZBnVI5vwgknk1v9gl.exe "C:\Users\user\Pictures\RztCbUmZBnVI5vwgknk1v9gl.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\oBwm3xYVYadvvyPM22CjpgTr.exe "C:\Users\user\Pictures\oBwm3xYVYadvvyPM22CjpgTr.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\GnP27p1NAAqpGRO5fkWggl4G.exe "C:\Users\user\Pictures\GnP27p1NAAqpGRO5fkWggl4G.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\aLJAULt319f3yelZ9yHcLLmp.exe "C:\Users\user\Pictures\aLJAULt319f3yelZ9yHcLLmp.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe "C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\l6tkmwjdUErRj2XjAOLUSPtS.exe "C:\Users\user\Pictures\l6tkmwjdUErRj2XjAOLUSPtS.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\VOj2XP57pkkframg3VKI0bnJ.exe "C:\Users\user\Pictures\VOj2XP57pkkframg3VKI0bnJ.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\ucyz2FBrS2ZmSVbb1v4MylBp.exe "C:\Users\user\Pictures\ucyz2FBrS2ZmSVbb1v4MylBp.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe "C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe" --silent --allusers=0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\snaftQ9InX6HRaN4agnWr7Oj.exe "C:\Users\user\Pictures\snaftQ9InX6HRaN4agnWr7Oj.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe "C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe "C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\ZD1fmOCLpyrjNES6gIPEm8BD.exe "C:\Users\user\Pictures\ZD1fmOCLpyrjNES6gIPEm8BD.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe "C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\pBXyZagaHAQQrhw6oBm3PDRx.exe "C:\Users\user\Pictures\pBXyZagaHAQQrhw6oBm3PDRx.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe "C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe" --silent --allusers=0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\RyhY8hIGZEZNYbghQkrpaTbg.exe "C:\Users\user\Pictures\RyhY8hIGZEZNYbghQkrpaTbg.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe "C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 468 -p 6560 -ip 6560
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6560 -s 1104
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Process created: C:\Users\user\AppData\Local\Temp\u5tg.0.exe "C:\Users\user\AppData\Local\Temp\u5tg.0.exe"
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\eXNDeRDst4kQrDZC4an0uq9f.exe	Process created: C:\Users\user\AppData\Local\Temp\u5lo.0.exe "C:\Users\user\AppData\Local\Temp\u5lo.0.exe"
Source: C:\Users\user\Pictures\LnpUuX1UZxpX7wm3ojkkhPdD.exe	Process created: C:\Users\user\AppData\Local\Temp\u220.0.exe "C:\Users\user\AppData\Local\Temp\u220.0.exe"
Source: C:\Users\user\Pictures\LnpUuX1UZxpX7wm3ojkkhPdD.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\GnP27p1NAAqpGRO5fkWggl4G.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\GnP27p1NAAqpGRO5fkWggl4G.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\aLJAULt319f3yelZ9yHcLLmp.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\aLJAULt319f3yelZ9yHcLLmp.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\ucyz2FBrS2ZmSVbb1v4MylBp.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\ucyz2FBrS2ZmSVbb1v4MylBp.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\ZD1fmOCLpyrjNES6gIPEm8BD.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\ZD1fmOCLpyrjNES6gIPEm8BD.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\RyhY8hIGZEZNYbghQkrpaTbg.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\RyhY8hIGZEZNYbghQkrpaTbg.exe	Process created: unknown unknown

Source: LnpUuX1UZxpX7wm3ojkkhPdD.exe, 00000012.00000003.1983329590.0000000004568000.00000004.00000020.00020000.00000000.sdmp, GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.1975964072.0000000004434000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004419000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TrayNotifyWndShell_TrayWnd
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004419000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndtooltips_class32SVWU
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004419000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndtooltips_class32S

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe

Code function: 10_2_00409D1B cpuid

10_2_00409D1B

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	10_2_00420063
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: GetLocaleInfoW,	10_2_004208CE
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: EnumSystemLocalesW,	10_2_004170F1
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	10_2_0042099B
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: EnumSystemLocalesW,	10_2_004202DB
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: EnumSystemLocalesW,	10_2_00420326
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: EnumSystemLocalesW,	10_2_004203C1
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	10_2_0042044E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: GetLocaleInfoW,	10_2_004174E4
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: GetLocaleInfoW,	10_2_0042069E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	10_2_004207C7
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: EnumSystemLocalesW,	10_2_036A7358
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: GetLocaleInfoW,	10_2_036B0B35
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	10_2_036B0A2E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	10_2_036B02CA
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: GetLocaleInfoW,	10_2_036B0903
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: GetLocaleInfoW,	10_2_036B0905
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: GetLocaleInfoW,	10_2_036A774B
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: EnumSystemLocalesW,	10_2_036B0628
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: EnumSystemLocalesW,	10_2_036B0542
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: EnumSystemLocalesW,	10_2_036B058D
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	10_2_036B0C02
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	13_2_00414570

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\74fa486WVX.exe	Queries volume information: C:\Users\user\Desktop\74fa486WVX.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\u5lo.0.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\u220.0.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe

Code function: 10_2_0040996D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

10_2_0040996D

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe

Code function: 13_2_004143C0 GetProcessHeap,HeapAlloc,GetUserNameA,

13_2_004143C0

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe

Code function: 13_2_004144B0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

13_2_004144B0

Source: C:\Users\user\Desktop\74fa486WVX.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender real time protection (registry)

Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{8F29E178-9661-4084-8511-EE37C01FCDBF}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions	Registry value created: Exclusions_Extensions 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{8F29E178-9661-4084-8511-EE37C01FCDBF}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableAntiSpyware 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{8F29E178-9661-4084-8511-EE37C01FCDBF}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableRoutinelyTakingAction 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{8F29E178-9661-4084-8511-EE37C01FCDBF}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableBehaviorMonitoring 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{8F29E178-9661-4084-8511-EE37C01FCDBF}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableOnAccessProtection 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{8F29E178-9661-4084-8511-EE37C01FCDBF}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableScanOnRealtimeEnable 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{8F29E178-9661-4084-8511-EE37C01FCDBF}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{8F29E178-9661-4084-8511-EE37C01FCDBF}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{8F29E178-9661-4084-8511-EE37C01FCDBF}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRawWriteNotification 1

Disables UAC (registry)

Source: C:\Users\user\Desktop\74fa486WVX.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Jump to behavior

Exclude list of file types from scheduled, custom, and real-time scanning

Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe

Registry value created: Exclusions_Extensions 1

Modifies Group Policy settings

Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe

File written: C:\Windows\System32\GroupPolicy\gpt.ini

Adds / modifies Windows certificates

Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Mars stealer

Source: Yara match	File source: 27.2.u5lo.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.u5lo.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.u5tg.0.exe.3590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.u5lo.0.exe.1ba0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.u5tg.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.u5lo.0.exe.1bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.u5lo.0.exe.1bd0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.u5tg.0.exe.1bb0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.u220.0.exe.35c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.u5tg.0.exe.3590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.u5lo.0.exe.1ba0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.u220.0.exe.35c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.u5tg.0.exe.1bb0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.u5tg.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000003.1746772797.0000000003590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1889376133.00000000035C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2640607262.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1875392962.0000000001BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2470863926.0000000001BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2628808333.0000000000400000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2456883549.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match

File source: C:\Users\user\Documents\SimpleAdobe\CCN3NQ4YsQxXhtmcSRpYcrYn.exe, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 0000000D.00000002.2473396131.0000000001C24000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2700544037.0000000001DA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u5tg.0.exe PID: 8080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: u5lo.0.exe PID: 6604, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 27.2.u5lo.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.u5lo.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.u5tg.0.exe.3590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.u5lo.0.exe.1ba0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.u5tg.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.u5lo.0.exe.1bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.u5lo.0.exe.1bd0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.u5tg.0.exe.1bb0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.u220.0.exe.35c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.u5tg.0.exe.3590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.u5lo.0.exe.1ba0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.u220.0.exe.35c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.u5tg.0.exe.1bb0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.u5tg.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000003.1746772797.0000000003590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1889376133.00000000035C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2640607262.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1875392962.0000000001BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2470863926.0000000001BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2628808333.0000000000400000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2456883549.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u5tg.0.exe PID: 8080, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match

File source: C:\Users\user\Documents\SimpleAdobe\CCN3NQ4YsQxXhtmcSRpYcrYn.exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MetaMask\|djclckkglechooblngghdinmeemkbgci\|1\|0\|0\|MetaMask\|ejbalbakoplchlghecdalmeeeajnimhm\|1\|0\|0\|MetaMask\|nkbihfbeogaeaoehlefnkodbefgpgknn\|1\|0\|0\|TronLink\|ibnejdfjmmkpcnlpebklmnkoeoihofec\|1\|0\|0\|Binance Wallet\|fhbohimaelbohpjbbldcngcnapndodjp\|1\|0\|0\|Yoroi\|ffnbelfdoeiohenkjibnmadjiehjhajb\|1\|0\|0\|Coinbase Wallet extension\|hnfanknocfeofbddgcijnmhnfnkdnaad\|1\|0\|1\|Guarda\|hpglfhgfnhbgpjdenjgmdgoeiappafln\|1\|0\|0\|Jaxx Liberty\|cjelfplplebdjjenllpjcblmjkfcffne\|1\|0\|0\|iWallet\|kncchdigobghenbbaddojjnnaogfppfj\|1\|0\|0\|MEW CX\|nlbmnnijcnlegkjjpcfjclmcfggfefdm\|1\|0\|0\|GuildWallet\|nanjmdknhkinifnkgdcggcfnhdaammmj\|1\|0\|0\|Ronin Wallet\|fnjhmkhhmkbjkkabndcnnogagogbneec\|1\|0\|0\|NeoLine\|cphhlgmgameodnhkjdmkpanlelnlohao\|1\|0\|0\|CLV Wallet\|nhnkbkgjikgcigadomkphalanndcapjk\|1\|0\|0\|Liquality Wallet\|kpfopkelmapcoipemfendmdcghnegimn\|1\|0\|0\|Terra Station Wallet\|aiifbnbfobpmeekipheeijimdpnlpgpp\|1\|0\|0\|Keplr\|dmkamcknogkgcdfhhbddcghachkejeap\|1\|0\|0\|Sollet\|fhmfendgdocmcbmfikdcogofphimnkno\|1\|0\|0\|Auro Wallet(Mina Protocol)\|cnmamaachppnkjgnildpdmkaakejnhae\|1\|0\|0\|Polymesh Wallet\|jojhfeoedkpkglbfimdfabpdfjaoolaf\|1\|0\|0\|ICONex\|flpiciilemghbmfalicajoolhkkenfel\|1\|0\|0\|Coin98 Wallet\|aeachknmefphepccionboohckonoeemg\|1\|0\|0\|EVER Wallet\|cgeeodpfagjceefieflmdfphplkenlfk\|1\|0\|0\|KardiaChain Wallet\|pdadjkfkgcafgbceimcpbkalnfnepbnk\|1\|0\|0\|Rabby\|acmacodkjbdgmoleebolmdjonilkdbch\|1\|0\|0\|Phantom\|bfnaelmomeimhlpmgjnjophhpkkoljpa\|1\|0\|0\|Brave Wallet\|odbfpeeihdkbihmopkbjmoonfanlbfcl\|1\|0\|0\|Oxygen\|fhilaheimglignddkjgofkcbgekhenbh\|1\|0\|0\|Pali Wallet\|mgffkfbidihjpoaomajlbgchddlicgpn\|1\|0\|0\|BOLT X\|aodkkagnadcbobfpggfnjeongemjbjca\|1\|0\|0\|XDEFI Wallet\|hmeobnfnfcmdkdcmlblgagmfpfboieaf\|1\|0\|0\|Nami\|lpfcbjknijpeeillifnkikgncikgfhdo\|1\|0\|0\|Maiar DeFi Wallet\|dngmlblcodfobpdpecaadgfbcggfjfnm\|1\|0\|0\|Keeper Wallet\|lpilbniiabackdjcionkobglmddfbcjo\|1\|0\|0\|Solflare Wallet\|bhhhlbepdkbapadjdnnojkbgioiodbic\|1\|0\|0\|Cyano Wallet\|dkdedlpgdmmkkfjabffeganieamfklkm\|1\|0\|0\|KHC\|hcflpincpppdclinealmandijcmnkbgn\|1\|0\|0\|TezBox\|mnfifefkajgofkcjkemidiaecocnkjeh\|1\|0\|0\|Temple\|ookjlbkiijinhpmnjffcofjonbfbgaoc\|1\|0\|0\|Goby\|jnkelfanjkeadonecabehalmbgpfodjm\|1\|0\|0\|Ronin Wallet\|kjmoohlgokccodicjjfebfomlbljgfhk\|1\|0\|0\|Byone\|nlgbhdfgdhgbiamfdfmbikcdghidoadd\|1\|0\|0\|OneKey\|jnmbobjmhlngoefaiojfljckilhhlhcj\|1\|0\|0\|DAppPlay\|lodccjjbdhfakaekdiahmedfbieldgik\|1\|0\|0\|SteemKeychain\|jhgnbkkipaallpehbohjmkbjofjdmeid\|1\|0\|0\|Braavos Wallet\|jnlgamecbpmbajjfhmmmlhejkemejdma\|1\|0\|0\|Enkrypt\|kkpllkodjeloidieedojogacfhpaihoh\|1\|1\|1\|OKX Wallet\|mcohilncbfahbmgdjkbpemcciiolgcge\|1\|0\|0\|Sender Wallet\|epapihdplajcdnnkdeiahlgigofloibg\|1\|0\|0\|Hashpack\|gjagmgiddbbciopjhllkdnddhcglnemk\|1\|0\|0\|Eternl\|kmhcihpebfmpgmihbkipmjlmmioameka\|1\|0\|0\|Pontem Aptos Wallet\|phkbamefinggmakgklpkljjmgibohnba\|1\|0\|0\|Petra Aptos Wallet\|ejjladinnckdgjemekebdpeokbikhfci\|1\|0\|0\|Martian Aptos Wallet\|efbglgofoippbgcjepnhiblaibcnclgk\|1\|0\|0\|Finnie\|cjmkndjhnagcfbpiemnkdpomccnjblmj\|1\|0\|0\|Leap Terra Wallet\|aijcbedoijmgnlmjeegjaglmepbmpkpi\|1\|0\|0\|Trezor Password Manager\|imloifkgjagghnncjkhggdhalmcnfklk\|1\|0\|0\|Authenticator\|bhghoamapcdpbohphigoooaddinpkbai\|1\|0\|0\|
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: jsc.exe, 00000005.00000002.2967048972.0000000004619000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ) for Ethereum-based blockchains and cryptographically secured digital assets. The in-app wallet service is provided by our affiliate, Blueboard Limited, which is solely responsible for its operation. Use of the wallet service is subject to Blueboard
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004

Yara detected Credential Stealer

Source: Yara match	File source: 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u5tg.0.exe PID: 8080, type: MEMORYSTR

Remote Access Functionality

Yara detected Mars stealer

Source: Yara match	File source: 27.2.u5lo.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.u5lo.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.u5tg.0.exe.3590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.u5lo.0.exe.1ba0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.u5tg.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.u5lo.0.exe.1bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.u5lo.0.exe.1bd0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.u5tg.0.exe.1bb0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.u220.0.exe.35c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.u5tg.0.exe.3590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.u5lo.0.exe.1ba0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.u220.0.exe.35c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.u5tg.0.exe.1bb0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.u5tg.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000003.1746772797.0000000003590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1889376133.00000000035C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2640607262.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1875392962.0000000001BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2470863926.0000000001BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2628808333.0000000000400000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2456883549.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match

File source: C:\Users\user\Documents\SimpleAdobe\CCN3NQ4YsQxXhtmcSRpYcrYn.exe, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 0000000D.00000002.2473396131.0000000001C24000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2700544037.0000000001DA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u5tg.0.exe PID: 8080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: u5lo.0.exe PID: 6604, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 27.2.u5lo.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.u5lo.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.u5tg.0.exe.3590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.u5lo.0.exe.1ba0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.u5tg.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.u5lo.0.exe.1bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.u5lo.0.exe.1bd0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.u5tg.0.exe.1bb0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.u220.0.exe.35c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.u5tg.0.exe.3590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.u5lo.0.exe.1ba0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.u220.0.exe.35c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.u5tg.0.exe.1bb0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.u5tg.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000003.1746772797.0000000003590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1889376133.00000000035C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2640607262.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1875392962.0000000001BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2470863926.0000000001BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2628808333.0000000000400000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2456883549.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u5tg.0.exe PID: 8080, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match

File source: C:\Users\user\Documents\SimpleAdobe\CCN3NQ4YsQxXhtmcSRpYcrYn.exe, type: DROPPED

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe

Code function: 13_2_68520B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,

13_2_68520B40

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.172.128.90	unknown	Russian Federation	50916	NADYMSS-ASRU	false
193.233.132.139	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
34.117.186.192	unknown	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
85.192.56.26	unknown	Russian Federation	12695	DINET-ASRU	false
37.221.125.202	unknown	Lithuania	62416	PTSERVIDORPT	false
18.205.93.0	unknown	United States	14618	AMAZON-AESUS	false
193.233.132.175	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
176.97.76.106	unknown	United Kingdom	43658	INTRAFFIC-ASUA	false
16.182.71.57	unknown	United States	unknown	unknown	false
193.233.132.234	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
37.228.108.132	unknown	Norway	39832	NO-OPERANO	false
185.172.128.59	unknown	Russian Federation	50916	NADYMSS-ASRU	false
172.67.161.113	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.132.113	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.169.146	unknown	United States	13335	CLOUDFLARENETUS	false
95.142.206.0	unknown	Russian Federation	47541	VKONTAKTE-SPB-AShttpvkcomRU	false
95.142.206.2	unknown	Russian Federation	47541	VKONTAKTE-SPB-AShttpvkcomRU	false
95.142.206.1	unknown	Russian Federation	47541	VKONTAKTE-SPB-AShttpvkcomRU	false
104.21.90.14	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.147.32	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.169.89	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.188.178	unknown	United States	13335	CLOUDFLARENETUS	false
185.172.128.209	unknown	Russian Federation	50916	NADYMSS-ASRU	true
107.167.96.30	unknown	United States	53755	IOFLOODUS	false
104.20.3.235	unknown	United States	13335	CLOUDFLARENETUS	false
185.172.128.228	unknown	Russian Federation	50916	NADYMSS-ASRU	false
172.67.176.131	unknown	United States	13335	CLOUDFLARENETUS	false
185.172.128.203	unknown	Russian Federation	50916	NADYMSS-ASRU	false
23.1.33.10	unknown	United States	20940	AKAMAI-ASN1EU	false
109.175.29.39	unknown	Bosnia and Herzegowina	9146	BIHNETBIHNETAutonomusSystemBA	false
13.89.179.12	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.21.5.28	unknown	United States	13335	CLOUDFLARENETUS	false
104.26.8.59	unknown	United States	13335	CLOUDFLARENETUS	false
5.42.66.10	unknown	Russian Federation	39493	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	false
192.229.211.108	unknown	United States	15133	EDGECASTUS	false
104.21.82.230	unknown	United States	13335	CLOUDFLARENETUS	false
107.167.110.217	unknown	United States	21837	OPERASOFTWAREUS	false
107.167.110.216	unknown	United States	21837	OPERASOFTWAREUS	false
104.21.91.214	unknown	United States	13335	CLOUDFLARENETUS	false
104.18.11.89	unknown	United States	13335	CLOUDFLARENETUS	false
107.167.110.211	unknown	United States	21837	OPERASOFTWAREUS	false
45.130.41.108	unknown	Russian Federation	198610	BEGET-ASRU	false
104.21.76.57	unknown	United States	13335	CLOUDFLARENETUS	false
87.240.129.133	unknown	Russian Federation	47541	VKONTAKTE-SPB-AShttpvkcomRU	false
107.167.125.189	unknown	United States	21837	OPERASOFTWAREUS	false

AV Detection

Found malware configuration

Source: 0000000D.00000003.1746772797.0000000003590000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": "http://185.172.128.209/3cd2b41cbde8fc9c.php"}
Source: 0000000D.00000002.2473396131.0000000001C24000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://185.172.128.209/3cd2b41cbde8fc9c.php"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\01Zkr9Pqv75RBBPAfRuOcR8W.exe	ReversingLabs: Detection: 41%
Source: C:\Users\user\AppData\Local\01Zkr9Pqv75RBBPAfRuOcR8W.exe	Virustotal: Detection: 49%	Perma Link
Source: C:\Users\user\AppData\Local\0539f2UvFHQYMmDfLH9ZSkIn.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\0539f2UvFHQYMmDfLH9ZSkIn.exe	Virustotal: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Local\0WJXemd5pQKDpgfnQ3uQfzFV.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\0WJXemd5pQKDpgfnQ3uQfzFV.exe	Virustotal: Detection: 42%	Perma Link
Source: C:\Users\user\AppData\Local\0tJmsjsuq861nw8wVciecU0e.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\0tJmsjsuq861nw8wVciecU0e.exe	Virustotal: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Local\1xHPgdRbGIGh0nmHKOdvoVaq.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\1xHPgdRbGIGh0nmHKOdvoVaq.exe	Virustotal: Detection: 42%	Perma Link
Source: C:\Users\user\AppData\Local\24PXKARoj7uC8IIGZm6izG3D.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\24PXKARoj7uC8IIGZm6izG3D.exe	Virustotal: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Local\2Do1I89wRECQJCwpROH5lsmE.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\2Do1I89wRECQJCwpROH5lsmE.exe	Virustotal: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Local\5FQtA1wucts8Yrqmv9O6idz6.exe	ReversingLabs: Detection: 41%
Source: C:\Users\user\AppData\Local\5FQtA1wucts8Yrqmv9O6idz6.exe	Virustotal: Detection: 49%	Perma Link
Source: C:\Users\user\AppData\Local\649FP6erIG3uUfhR0wTmAGh3.exe	ReversingLabs: Detection: 41%
Source: C:\Users\user\AppData\Local\649FP6erIG3uUfhR0wTmAGh3.exe	Virustotal: Detection: 49%	Perma Link
Source: C:\Users\user\AppData\Local\6AsVyY9hcVg6BrRB3XAxmLRn.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\6AsVyY9hcVg6BrRB3XAxmLRn.exe	Virustotal: Detection: 42%	Perma Link
Source: C:\Users\user\AppData\Local\6ukblLKwIGzTeTLtRG3BVQ4x.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\6ukblLKwIGzTeTLtRG3BVQ4x.exe	Virustotal: Detection: 42%	Perma Link

Multi AV Scanner detection for submitted file

Source: 74fa486WVX.exe	ReversingLabs: Detection: 21%
Source: 74fa486WVX.exe	Virustotal: Detection: 26%			Perma Link

Machine Learning detection for sample

Source: 74fa486WVX.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: CtIvEWInDoW
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: AgEBOxw
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: ijklmnopqrs
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: /#%33@@@
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: abcdefghijklmnopqrs
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: @@@@<@@@
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: abcdefghijklmnopqrs
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: "&&""..""&&"">>""&&"".."ikSQWQSQ_QBEklmn^pqrBtuvFxyzL123H5679+/\|
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: %s\%V/yVs
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: %s\*.
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: }567y9n/S
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: ntTekeny
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: ging
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: PassMord0
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: J@@@`z`@J@@@J@@@
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: OPQRSTUVWXY
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: 456753+/---- '
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: '--- '
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: HeapFree
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: GetLocaleInfoA
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: nwpg
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: ntProcessId
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: wininet.dll
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: shlwapi.dll
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: shell32.dll
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: .dll
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: column_text
Source: 27.2.u5lo.0.exe.400000.0.raw.unpack	String decryptor: login:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_00409540 CryptUnprotectData,LocalAlloc,LocalFree,	13_2_00409540
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_00406C10 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	13_2_00406C10
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_004094A0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	13_2_004094A0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_004155A0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	13_2_004155A0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_0040BF90 memset,lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat,	13_2_0040BF90
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68326C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	13_2_68326C80
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6849A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	13_2_6849A9A0

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000000.00000002.2151703138.00000220285DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 74fa486WVX.exe PID: 6560, type: MEMORYSTR

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Unpacked PE file: 10.2.aD6tv7fY2lQHgM7IuiL9Hw1Z.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Unpacked PE file: 13.2.u5tg.0.exe.400000.0.unpack
Source: C:\Users\user\Pictures\LnpUuX1UZxpX7wm3ojkkhPdD.exe	Unpacked PE file: 18.2.LnpUuX1UZxpX7wm3ojkkhPdD.exe.400000.0.unpack
Source: C:\Users\user\Pictures\GnP27p1NAAqpGRO5fkWggl4G.exe	Unpacked PE file: 26.2.GnP27p1NAAqpGRO5fkWggl4G.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u5lo.0.exe	Unpacked PE file: 27.2.u5lo.0.exe.400000.0.unpack
Source: C:\Users\user\Pictures\aLJAULt319f3yelZ9yHcLLmp.exe	Unpacked PE file: 28.2.aLJAULt319f3yelZ9yHcLLmp.exe.400000.0.unpack
Source: C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe	Unpacked PE file: 29.2.x2VAVd7wCFKvEJ20FLblB74a.exe.400000.0.unpack
Source: C:\Users\user\Pictures\ucyz2FBrS2ZmSVbb1v4MylBp.exe	Unpacked PE file: 33.2.ucyz2FBrS2ZmSVbb1v4MylBp.exe.400000.0.unpack
Source: C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe	Unpacked PE file: 36.2.62yRKzzf4sPbuvaYnIB1MyY6.exe.400000.0.unpack
Source: C:\Users\user\Pictures\ZD1fmOCLpyrjNES6gIPEm8BD.exe	Unpacked PE file: 40.2.ZD1fmOCLpyrjNES6gIPEm8BD.exe.400000.0.unpack
Source: C:\Users\user\Pictures\RyhY8hIGZEZNYbghQkrpaTbg.exe	Unpacked PE file: 44.2.RyhY8hIGZEZNYbghQkrpaTbg.exe.400000.0.unpack

Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240420115425810.log
Source: C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240420115438068.log

Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: 74fa486WVX.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: u5tg.0.exe, 0000000D.00000002.2733626903.000000006838D000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: RC:\nedadovisiguc\bibufedepisoh\jegode\yapogiboj\hi.pdb source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842065324.0000000004861000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1844688555.0000000004FFD000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1846372753.0000000005044000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842247378.0000000004862000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1847791034.0000000005364000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1844688555.0000000004FD3000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845850142.0000000005044000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wextract.pdb source: jsc.exe, 00000005.00000002.2652166085.000000000338A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003ABB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003383000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003362000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: u5tg.0.exe, 0000000D.00000002.2735000647.000000006856F000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: E:\HD_Audio\VS2005\Resetup\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdbP@n@ `@_CorExeMainmscoree.dll source: RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140238000.00000040.00000001.01000000.00000010.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140238000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\yicukewiceyal\ge.pdb source: aD6tv7fY2lQHgM7IuiL9Hw1Z.exe, 0000000A.00000003.1744695734.0000000003741000.00000004.00000020.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000000.1743563423.000000000041B000.00000002.00000001.01000000.00000009.sdmp, eXNDeRDst4kQrDZC4an0uq9f.exe, 00000011.00000003.1874006266.0000000003801000.00000004.00000020.00020000.00000000.sdmp, LnpUuX1UZxpX7wm3ojkkhPdD.exe, 00000012.00000003.1886502011.0000000003771000.00000004.00000020.00020000.00000000.sdmp, GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.1932534592.00000000037C1000.00000004.00000020.00020000.00000000.sdmp, u5lo.0.exe, 0000001B.00000000.1862492427.000000000041B000.00000002.00000001.01000000.00000013.sdmp, aLJAULt319f3yelZ9yHcLLmp.exe, 0000001C.00000003.1964468154.0000000003781000.00000004.00000020.00020000.00000000.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000003.1957327331.0000000003831000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\HD_Audio\VS2005\Resetup\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb source: RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140238000.00000040.00000001.01000000.00000010.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140238000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1843997507.00000000050C3000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1841694299.0000000004FFD000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842489395.0000000005051000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1841790509.00000000048AE000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842382816.0000000005051000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\yixeki-ciguwan38_buyej\jobo.pdb source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845157813.0000000004F61000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1838884651.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1838884651.0000000004888000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1840311650.00000000048E8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140447000.00000040.00000001.01000000.00000010.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140447000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\nedadovisiguc\bibufedepisoh\jegode\yapogiboj\hi.pdb source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842065324.0000000004861000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1844688555.0000000004FFD000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1846372753.0000000005044000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842247378.0000000004862000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1847791034.0000000005364000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1844688555.0000000004FD3000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845850142.0000000005044000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: u5tg.0.exe, 0000000D.00000002.2733626903.000000006838D000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: C:\javagevo77\xonete\zedikacap-kumefuhan_yevezocusir\nisev.pdb source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1884648951.0000000004F61000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1878460153.0000000004862000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wextract.pdbH source: jsc.exe, 00000005.00000002.2652166085.000000000338A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003ABB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003383000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003362000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\x64\Release\XBundlerTlsHelper.pdb source: RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140265000.00000040.00000001.01000000.00000010.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140265000.00000040.00000001.01000000.00000011.sdmp, l6tkmwjdUErRj2XjAOLUSPtS.exe, 0000001E.00000002.2152673578.0000000140265000.00000040.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\TestProject\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb source: RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140243000.00000040.00000001.01000000.00000010.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140243000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\TestProject\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb,ANA @A_CorExeMainmscoree.dll source: RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140243000.00000040.00000001.01000000.00000010.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140243000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: DC:\yicukewiceyal\ge.pdb source: aD6tv7fY2lQHgM7IuiL9Hw1Z.exe, 0000000A.00000003.1744695734.0000000003741000.00000004.00000020.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000000.1743563423.000000000041B000.00000002.00000001.01000000.00000009.sdmp, eXNDeRDst4kQrDZC4an0uq9f.exe, 00000011.00000003.1874006266.0000000003801000.00000004.00000020.00020000.00000000.sdmp, LnpUuX1UZxpX7wm3ojkkhPdD.exe, 00000012.00000003.1886502011.0000000003771000.00000004.00000020.00020000.00000000.sdmp, GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.1932534592.00000000037C1000.00000004.00000020.00020000.00000000.sdmp, u5lo.0.exe, 0000001B.00000000.1862492427.000000000041B000.00000002.00000001.01000000.00000013.sdmp, aLJAULt319f3yelZ9yHcLLmp.exe, 0000001C.00000003.1964468154.0000000003781000.00000004.00000020.00020000.00000000.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000003.1957327331.0000000003831000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140447000.00000040.00000001.01000000.00000010.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140447000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: LNC:\noyofalivam\xeguhukur.pdb source: jsc.exe, 00000005.00000002.2967048972.0000000004619000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2967048972.0000000004319000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000034DA000.00000004.00000800.00020000.00000000.sdmp, aD6tv7fY2lQHgM7IuiL9Hw1Z.exe, 0000000A.00000002.2365446136.0000000001AB8000.00000004.00000020.00020000.00000000.sdmp, aD6tv7fY2lQHgM7IuiL9Hw1Z.exe, 0000000A.00000000.1700515452.000000000041B000.00000002.00000001.01000000.00000007.sdmp, eXNDeRDst4kQrDZC4an0uq9f.exe, 00000011.00000000.1779339552.000000000041B000.00000002.00000001.01000000.0000000C.sdmp, LnpUuX1UZxpX7wm3ojkkhPdD.exe, 00000012.00000002.2528541137.0000000001D48000.00000004.00000020.00020000.00000000.sdmp, LnpUuX1UZxpX7wm3ojkkhPdD.exe, 00000012.00000000.1825118600.000000000041B000.00000002.00000001.01000000.0000000D.sdmp, GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000000.1855770656.000000000041B000.00000002.00000001.01000000.00000012.sdmp, GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000002.2525303834.0000000001B88000.00000004.00000020.00020000.00000000.sdmp, aLJAULt319f3yelZ9yHcLLmp.exe, 0000001C.00000002.2381563199.0000000001B68000.00000004.00000020.00020000.00000000.sdmp, aLJAULt319f3yelZ9yHcLLmp.exe, 0000001C.00000000.1862402151.000000000041B000.00000002.00000001.01000000.00000014.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000000.1866064043.000000000041B000.00000002.00000001.01000000.00000015.sdmp, RyhY8hIGZEZNYbghQkrpaTbg.exe, 0000002C.00000000.1954578069.000000000041B000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: C:\noyofalivam\xeguhukur.pdb source: jsc.exe, 00000005.00000002.2967048972.0000000004619000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2967048972.0000000004319000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000034DA000.00000004.00000800.00020000.00000000.sdmp, aD6tv7fY2lQHgM7IuiL9Hw1Z.exe, 0000000A.00000002.2365446136.0000000001AB8000.00000004.00000020.00020000.00000000.sdmp, aD6tv7fY2lQHgM7IuiL9Hw1Z.exe, 0000000A.00000000.1700515452.000000000041B000.00000002.00000001.01000000.00000007.sdmp, eXNDeRDst4kQrDZC4an0uq9f.exe, 00000011.00000000.1779339552.000000000041B000.00000002.00000001.01000000.0000000C.sdmp, LnpUuX1UZxpX7wm3ojkkhPdD.exe, 00000012.00000002.2528541137.0000000001D48000.00000004.00000020.00020000.00000000.sdmp, LnpUuX1UZxpX7wm3ojkkhPdD.exe, 00000012.00000000.1825118600.000000000041B000.00000002.00000001.01000000.0000000D.sdmp, GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000000.1855770656.000000000041B000.00000002.00000001.01000000.00000012.sdmp, GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000002.2525303834.0000000001B88000.00000004.00000020.00020000.00000000.sdmp, aLJAULt319f3yelZ9yHcLLmp.exe, 0000001C.00000002.2381563199.0000000001B68000.00000004.00000020.00020000.00000000.sdmp, aLJAULt319f3yelZ9yHcLLmp.exe, 0000001C.00000000.1862402151.000000000041B000.00000002.00000001.01000000.00000014.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000000.1866064043.000000000041B000.00000002.00000001.01000000.00000015.sdmp, RyhY8hIGZEZNYbghQkrpaTbg.exe, 0000002C.00000000.1954578069.000000000041B000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: 8>C:\javagevo77\xonete\zedikacap-kumefuhan_yevezocusir\nisev.pdb source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1884648951.0000000004F61000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1878460153.0000000004862000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: GC:\bivonare pif.pdb source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1869958857.0000000006711000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1858482387.0000000004F61000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1859853643.000000000516F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1862956028.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1864705767.0000000005361000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1860935215.0000000005365000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1855540860.0000000004831000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1865504661.00000000063A7000.00000004.00000020.00020000.00000000.sdmp, 0Q5dKppSpEUoGQyfKKa0z3T3.exe, 00000015.00000000.1826680480.000000000041B000.00000002.00000001.01000000.0000000E.sdmp, BqrcKabb3rjHWiGgZhhaSqKx.exe, 00000016.00000000.1826692672.000000000041B000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: nss3.pdb source: u5tg.0.exe, 0000000D.00000002.2735000647.000000006856F000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: C:\bivonare pif.pdb source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1869958857.0000000006711000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1858482387.0000000004F61000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1859853643.000000000516F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1862956028.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1864705767.0000000005361000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1860935215.0000000005365000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1855540860.0000000004831000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1865504661.00000000063A7000.00000004.00000020.00020000.00000000.sdmp, 0Q5dKppSpEUoGQyfKKa0z3T3.exe, 00000015.00000000.1826680480.000000000041B000.00000002.00000001.01000000.0000000E.sdmp, BqrcKabb3rjHWiGgZhhaSqKx.exe, 00000016.00000000.1826692672.000000000041B000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: ".pdb source: RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140447000.00000040.00000001.01000000.00000010.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140447000.00000040.00000001.01000000.00000011.sdmp

Change of critical system settings

Adds extensions / path to Windows Defender exclusion list (Registry)

Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{8F29E178-9661-4084-8511-EE37C01FCDBF}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Exclusions_Extensions
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{8F29E178-9661-4084-8511-EE37C01FCDBF}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions exe

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	13_2_00412570
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	13_2_0040D1C0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	13_2_004015C0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	13_2_00411650
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	13_2_0040B610
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	13_2_0040DB60
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	13_2_00411B80
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	13_2_0040D540
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	13_2_004121F0

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.172.128.209/3cd2b41cbde8fc9c.php
Source: Malware configuration extractor	URLs: http://185.172.128.209/3cd2b41cbde8fc9c.php

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: Bc4dcTAjyvtQ9T6PrR3f0uzO.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: ccoBo0rRmpQ5gEQf8uOm2hw8.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: qsGNy3xtDdMUFTSJA4Mrz3vJ.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: RDFohlfw679Ux25vFH74CiK2.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: y2WdWAdLkOUkh2B9NXcEScw2.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: Hbu62iH0oWTYkueDhqQNBMlJ.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: 7U3Rk7aLVDVnrRHtzFxyD2hj.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: 9qKzKIb4zlixUBIMbsAdr6e5.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: tbXSlgaofvAqF1YwBO3ogwLi.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: m6bKjeL6PzYGlRvC2JJBhIJB.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: BPE5NTxxXzTf7UomGVXunUNo.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: x84B5Aew9VrQaMhCPbGNjsy6.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: eKWJxN788Wcm8PbTcMNGvZ0a.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: 6GMAOzzQrs8n3hhYfIpfQSoV.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: kO6RzgL2zO69SBqlEfR6fOiU.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: FfzaqqmVqlNLTGLFn2QdOrmt.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: qu8dqUeHGOw6VkEVxnsN47hK.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: ZAHLmF3nVdCimYamVmIRpMtj.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: vyB4B6GBi30MLwbPL3cXdgXM.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: SNT7mY94u8xH6lHN9QDCsX3l.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: NXsvPjvPPQV2IIAvucdjzO0T.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: cSQCidG8hZ2BZBivls30Cd6j.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: cW6Iba0lh72vV9KHkBEgeBxU.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: DUeoFDUvNcsc60JsKOos974H.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: Ycz2IIZFaXyUlRhWXFPYKsPT.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: 4bb72Ogtgd8zfrUvuX4RiGta.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: HqLCSqdxI0ymxN2GkUs5k2xF.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: 3l5DQQ6yrAd7jQOt8UC94MYm.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: j1gNRGWbe2W31aYhk7aVo0ee.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: 5zadD0mViiouBMeDIkBFC8NA.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: kMQkrJQ6lagfJOGvz7gfOLVM.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: 6eY7wD7sWCGLclaDApqh69x1.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: RvNk31032JOWTSBcfv4xhrgk.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: JCuibEyjPnckBLTtUeFDd4IA.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: gqjMUiDTMpBEgZYftYEz41nU.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: AG5K4zrQRmDjLsNdvUGBgf9J.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: BI3eJTQfHvZZoPFkXHBXdS87.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: I93qDzkNBbZCwuwOhsxuYvb2.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: Uw0veNjXiB4MDIr6Lq20Ymy7.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: dg0QbdwoDPb4ZW47K3WbTMRh.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: GGnhXLyclFeA8V6yzQbtTsT8.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: enN9uqOYwpoldszgv9531SIP.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: sskwGsuesJwUbp0gb5wOey0k.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: qR5U2QvPjesrEhw5iPZ1p4Pz.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: 6UZzWax6GG1SbfyYXj7IWO5r.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: 2LpGwjYMLdyfWXLxfsx56mJC.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: 9oFSK8dPCnaeAIq0w8hbPC8o.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: xRG283GfGjjwKjta5BEJHem9.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: w63kjcJTpHd5DkDn8MLzMbMr.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: Q7x3pFx53MFdbVPm71oOscoY.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: TjAW5yNM3qrTuUevYSMyx0O5.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: 32mv11NyrxtkxZGtF5J8XLjt.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: SnFBAa34lZI5aFFjj2MyBANi.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: pVm6YNoRZgHRJxXKE9eRi1jk.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: B46OcL5siA7EIXTXwfJett0x.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: JKJmEJtUChhawqFUlVO7iqEG.exe.5.dr
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: 0VDgJ3_yDezlSifw_UMGpT2Z.exe.12.dr
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: 9WX0wj3m1yKHqBrGQgS0ATep.exe.12.dr

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.74fa486WVX.exe.22028643f98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.74fa486WVX.exe.220286469d8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.jsc.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe

Code function: 10_2_00426504 __EH_prolog,WSAStartup,socket,WSACleanup,gethostbyname,htons,connect,send,send,recv,recv,recv,recv,recv,WSACleanup,closesocket,

10_2_00426504

Source: u5tg.0.exe, 0000000D.00000002.2470929452.0000000001BFE000.00000004.00000020.00020000.00000000.sdmp, u5lo.0.exe, 0000001B.00000002.2691208486.0000000001D7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C24000.00000004.00000020.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C73000.00000004.00000020.00020000.00000000.sdmp, u5lo.0.exe, 0000001B.00000002.2700544037.0000000001DD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/freebl3.dll
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/mozglue.dll
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/mozglue.dll(
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/msvcp140.dll
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/nss3.dll
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/nss3.dll0
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/softokn3.dll
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/softokn3.dllb
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/sqlite3.dll
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/sqlite3.dlln
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/vcruntime140.dll
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/vcruntime140.dll6G
Source: u5lo.0.exe, 0000001B.00000002.2700544037.0000000001DA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php
Source: u5lo.0.exe, 0000001B.00000002.2700544037.0000000001DA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php%
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php-
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php/
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000549000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php0dfb6d6d8c508673859a401be5a4n
Source: u5lo.0.exe, 0000001B.00000002.2700544037.0000000001DA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php1
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php9
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php:h
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phpA
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phpG
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phpP
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phpR
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C24000.00000004.00000020.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phpS
Source: u5lo.0.exe, 0000001B.00000002.2700544037.0000000001DD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phpp
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phprowser
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/am
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/es
Source: jsc.exe, 00000005.00000002.2652166085.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003383000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000392A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000377D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000376D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000378D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003667000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033AE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A31000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.59/ISetup5.exe
Source: jsc.exe, 00000005.00000002.2652166085.00000000033A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.59/ISetup5.exe3
Source: jsc.exe, 00000005.00000002.2652166085.000000000393B000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000347A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003576000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036B5000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000035E0000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003408000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000378D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.59/ISetup5.exe4k
Source: jsc.exe, 00000005.00000002.2652166085.00000000033C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.59/ISetup5.exeI
Source: jsc.exe, 00000005.00000002.2652166085.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.59/ISetup5.exeLR
Source: jsc.exe, 00000005.00000002.2652166085.00000000033AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.59/ISetup5.exeU
Source: jsc.exe, 00000005.00000002.2652166085.00000000037C3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003943000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.18
Source: jsc.exe, 00000005.00000002.2652166085.0000000003408000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.18Fa
Source: jsc.exe, 00000005.00000002.2652166085.0000000003A41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.18x=
Source: jsc.exe, 00000005.00000002.2652166085.00000000037E5000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003983000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A70000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000398B000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003520000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000379F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003AA0000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003510000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003981000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A72000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A66000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003985000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1857680458.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1858930023.000000000484F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/dacha/rules.exe
Source: jsc.exe, 00000005.00000002.2652166085.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003520000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.175
Source: jsc.exe, 00000005.00000002.2652166085.0000000003362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.175/server/ww12/AppGate2103v01.exe
Source: jsc.exe, 00000005.00000002.2652166085.00000000033A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.175/server/ww12/AppGate2103v01.exe/
Source: jsc.exe, 00000005.00000002.2652166085.0000000003383000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.175/server/ww12/AppGate2103v01.exe0
Source: jsc.exe, 00000005.00000002.2652166085.000000000393B000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003576000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000035E0000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003408000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000378D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.175/server/ww12/AppGate2103v01.exe4k
Source: jsc.exe, 00000005.00000002.2652166085.00000000033C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.175/server/ww12/AppGate2103v01.exeE
Source: jsc.exe, 00000005.00000002.2652166085.000000000334D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037E5000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003816000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000399A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234
Source: jsc.exe, 00000005.00000002.2652166085.00000000033AA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003344000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000393B000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A1F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003576000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003425000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033C6000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003404000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003911000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036B5000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000392A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000377D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000376D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000378D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033DA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003667000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/InstallCharityEngine_7.14.2_S16-01.exe
Source: jsc.exe, 00000005.00000002.2652166085.000000000334D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000393B000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003576000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003383000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000378D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/InstallCharityEngine_7.14.2_S16-01.exe4k
Source: jsc.exe, 00000005.00000002.2652166085.00000000033AA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003344000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000393B000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A1F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003576000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003425000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033C6000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003404000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003911000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036B5000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000392A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000377D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000376D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000378D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033DA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003667000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/setup.exe
Source: jsc.exe, 00000005.00000002.2652166085.000000000393B000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003576000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000378D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/setup.exe4k
Source: jsc.exe, 00000005.00000002.2652166085.000000000334D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.234/files/setup.exeW
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1904036476.0000000002BE9000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1830855097.0000000002BE7000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1862487301.0000000002BE7000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1841023351.0000000002BE7000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845937117.0000000002BE7000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1898547764.0000000002BE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/getimage12.php
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1904036476.0000000002BE9000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1830855097.0000000002BE7000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1862487301.0000000002BE7000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1841023351.0000000002BE7000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845937117.0000000002BE7000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1898547764.0000000002BE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/getimage12.phpe
Source: jsc.exe, 00000005.00000002.2652166085.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000338A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000003.2057532612.00000000053D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: jsc.exe, 00000005.00000002.2652166085.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000338A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000003.2057532612.00000000053D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: jsc.exe, 00000005.00000002.2652166085.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000338A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000003.2057532612.00000000053D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: jsc.exe, 00000005.00000002.2652166085.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000338A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000003.2057532612.00000000053D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: jsc.exe, 00000005.00000002.2652166085.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000338A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000003.2057532612.00000000053D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000003.2057532612.00000000053D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: jsc.exe, 00000005.00000002.2652166085.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000338A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000003.2057532612.00000000053D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000003.2057532612.00000000053D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000003.2057532612.00000000053D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004419000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://download.iolo.net
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004419000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://google.com
Source: jsc.exe, 00000005.00000002.2652166085.00000000037E5000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A72000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000034CE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003985000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://iplogger.com
Source: jsc.exe, 00000005.00000002.2652166085.0000000003729000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jonathantwo.com
Source: jsc.exe, 00000005.00000002.2652166085.0000000003729000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jonathantwo.comH
Source: jsc.exe, 00000005.00000002.2652166085.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003991000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003816000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://lati.lb.opera.technology
Source: jsc.exe, 00000005.00000002.2652166085.0000000003991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://net.geo.opera
Source: jsc.exe, 00000005.00000002.2652166085.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003991000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003408000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003816000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://net.geo.opera.com
Source: jsc.exe, 00000005.00000002.2652166085.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003991000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767_
Source: jsc.exe, 00000005.00000002.2652166085.0000000003362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767__456
Source: jsc.exe, 00000005.00000002.2652166085.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000338A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000003.2057532612.00000000053D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: jsc.exe, 00000005.00000002.2652166085.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000338A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000003.2057532612.00000000053D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: jsc.exe, 00000005.00000002.2652166085.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000338A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000003.2057532612.00000000053D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: jsc.exe, 00000005.00000002.2652166085.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000338A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000003.2057532612.00000000053D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: jsc.exe, 00000005.00000002.2652166085.0000000003883000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A07000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.com
Source: jsc.exe, 00000005.00000002.2652166085.0000000003991000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003ABB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A78000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003AA6000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000398B000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003AEE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003816000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://realdeepai.org
Source: LnpUuX1UZxpX7wm3ojkkhPdD.exe, 00000012.00000003.1983329590.0000000004568000.00000004.00000020.00020000.00000000.sdmp, GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.1975964072.0000000004434000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: LnpUuX1UZxpX7wm3ojkkhPdD.exe, 00000012.00000003.1983329590.0000000004568000.00000004.00000020.00020000.00000000.sdmp, GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.1975964072.0000000004434000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004419000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/DownloadManager.ashx
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1858930023.000000000484F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wikkt.com/
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1885320463.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1879422507.00000000047C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wikkt.com/forum/index.php
Source: LnpUuX1UZxpX7wm3ojkkhPdD.exe, 00000012.00000003.1983329590.0000000004568000.00000004.00000020.00020000.00000000.sdmp, GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.1975964072.0000000004434000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.2brightsparks.com/onclick/help/
Source: LnpUuX1UZxpX7wm3ojkkhPdD.exe, 00000012.00000003.1983329590.0000000004568000.00000004.00000020.00020000.00000000.sdmp, GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.1975964072.0000000004434000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/Types
Source: jsc.exe, 00000005.00000002.2652166085.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000338A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033FB000.00000004.00000800.00020000.00000000.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000003.2057532612.00000000053D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004419000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845426366.0000000004835000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845157813.000000000501E000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845524803.0000000004813000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1846372753.000000000501F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.innosetup.com
Source: u5tg.0.exe, u5tg.0.exe, 0000000D.00000002.2733626903.000000006838D000.00000002.00000001.01000000.00000027.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: jsc.exe, 00000005.00000002.2652166085.0000000003B14000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.opera.com0
Source: u5tg.0.exe, 0000000D.00000002.2577329483.000000001C02E000.00000004.00000020.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2717481035.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1750675756.0000000001F90000.00000004.00001000.00020000.00000000.sdmp, RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140001000.00000040.00000001.01000000.00000010.sdmp, RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000003.1878955386.0000000002310000.00000004.00001000.00020000.00000000.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140001000.00000040.00000001.01000000.00000011.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000003.1881772591.0000000000400000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: jsc.exe, 00000005.00000002.2652166085.0000000003883000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A07000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://yip.su
Source: u5tg.0.exe, 0000000D.00000003.1845625883.0000000001CC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1885320463.0000000002C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com/
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1849130242.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1843245371.0000000002C20000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1879784892.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1843541654.0000000002C20000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1841023351.0000000002C25000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1898547764.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1904290505.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1851674958.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1857791861.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1885320463.0000000002C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baldurgatez.com/7725eaa6592c80f8124e769b4e8a07f7.exef
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1849130242.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1843245371.0000000002C20000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1879784892.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1843541654.0000000002C20000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1841023351.0000000002C25000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1898547764.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1904290505.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1851674958.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1857791861.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1885320463.0000000002C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baldurgatez.com/7725eaa6592c80f8124e769b4e8a07f7.exexe
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1830855097.0000000002C25000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1832742969.0000000002C25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baldurgatez.com:80/7725eaa6592c80f8124e769b4e8a07f7.exe
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1897719580.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1841928255.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842704242.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1846731580.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1857680458.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1858930023.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845426366.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1878893276.000000000484F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1841928255.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842704242.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845426366.000000000484F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/.
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1879422507.00000000047F2000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842489395.000000000516E000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1879422507.00000000047DE000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1846798256.00000000047E1000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842894582.00000000047E1000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1848924916.00000000047E1000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1846798256.00000000047C8000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1848924916.00000000047C8000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1851296089.00000000047C5000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1862351915.000000000480A000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1846992026.0000000004824000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1899256171.00000000047C5000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1847485407.000000000480A000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845602194.00000000047E1000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1844257395.00000000047C8000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1898388745.000000000480A000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1844257395.00000000047E1000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1856492137.00000000047DE000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842894582.00000000047C8000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842894582.00000000047BD000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1898388745.0000000004822000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/8b0be658-c958-47a3-96e4-fc8e5fe7c5dc/downloads/dc50f97b-477f-
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845937117.0000000002BDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/superworkspacenb/gerge/downloads/grabber.exe
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842894582.00000000047DE000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1879422507.00000000047DE000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1851296089.00000000047DE000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1856492137.00000000047DE000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845602194.00000000047DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/superworkspacenb/gerge/downloads/grabber.exea6592c80f8124e769b4e8a07f7.exe
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1879422507.00000000047D9000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1878893276.000000000484F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://c.574859385.xyz/525403/setup.exe
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1897719580.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1878893276.000000000484F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://c.574859385.xyz/525403/setup.exeF
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1897719580.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1878893276.000000000484F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://c.574859385.xyz/525403/setup.exeH
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1841023351.0000000002C25000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842797313.0000000004821000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1862487301.0000000002BE7000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842894582.00000000047E1000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845937117.0000000002BE7000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1844257395.00000000047E1000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1898547764.0000000002BE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://carthewasher.net/0459bbcc9007d32f68bcaa0a07733f6e/cad54ba5b01423b1af8ec10ab5719d97.exe
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1885320463.0000000002C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cookielaw.org/
Source: u5tg.0.exe, 0000000D.00000003.1845625883.0000000001CC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: jsc.exe, 00000005.00000002.2652166085.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037C3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000394F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A46000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003971000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.iplogger.org/favicon.ico
Source: jsc.exe, 00000005.00000002.2652166085.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037C3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000394F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A46000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003971000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.iplogger.org/redirect/brand.png
Source: jsc.exe, 00000005.00000002.2652166085.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037C3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000394F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A46000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003971000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.iplogger.org/redirect/logo-dark.png);background-position:center;background-repeat:no-rep
Source: u5tg.0.exe, 0000000D.00000003.1845625883.0000000001CC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: u5tg.0.exe, 0000000D.00000003.1845625883.0000000001CC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: jsc.exe, 00000005.00000002.2652166085.00000000037B3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036CD000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033BA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033F7000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037C3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000394F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003961000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A46000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A56000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033CD000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000339F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003971000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A66000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003421000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://counter.yadro.ru/hit?
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1885320463.0000000002C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d136azpfpnge1l.cloudfront.net/;
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1885320463.0000000002C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.net/
Source: u5tg.0.exe, 0000000D.00000003.1845625883.0000000001CC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: u5tg.0.exe, 0000000D.00000003.1845625883.0000000001CC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: u5tg.0.exe, 0000000D.00000003.1845625883.0000000001CC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: jsc.exe, 00000005.00000002.2967048972.0000000004619000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gamemaker.io
Source: jsc.exe, 00000005.00000002.2967048972.0000000004619000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gamemaker.io)
Source: jsc.exe, 00000005.00000002.2967048972.0000000004619000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gamemaker.io/en/education.
Source: jsc.exe, 00000005.00000002.2967048972.0000000004619000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gamemaker.io/en/get.
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842894582.00000000047D2000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1848924916.00000000047DB000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1840587375.00000000047DE000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1840587375.00000000047EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gigachadfanclub.org/0459bbcc9007d32f68bcaa0a07733f6e/7725eaa6592c80f8124e769b4e8a07f7.exe
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1763892395.000000000068B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1763892395.000000000068B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/D
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1750675756.0000000001F90000.00000004.00001000.00020000.00000000.sdmp, RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140001000.00000040.00000001.01000000.00000010.sdmp, RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000003.1878955386.0000000002310000.00000004.00001000.00020000.00000000.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140001000.00000040.00000001.01000000.00000011.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000003.1881772591.0000000000400000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/namehttps://ipgeolocation.io/status
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1763892395.00000000006CF000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1763892395.000000000068B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1763892395.000000000068B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.57.52
Source: jsc.exe, 00000005.00000002.2652166085.00000000034C8000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000355F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com
Source: jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com/1lyxz
Source: jsc.exe, 00000005.00000002.2652166085.00000000033AA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003344000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000393B000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A1F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003576000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003425000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033C6000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003404000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003911000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036B5000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000392A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000377D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000376D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000378D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033DA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003667000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com/2lVrD2
Source: jsc.exe, 00000005.00000002.2652166085.000000000393B000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003576000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000378D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com/2lVrD24k
Source: jsc.exe, 00000005.00000002.2652166085.00000000037B3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036CD000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033BA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033F7000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037C3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000394F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003961000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A46000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A56000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033CD000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000339F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003971000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A66000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003421000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/
Source: jsc.exe, 00000005.00000002.2652166085.00000000037B3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003378000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036CD000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033BA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033F7000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037C3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000394F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003961000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A46000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A56000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033CD000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000339F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003971000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A66000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003421000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/privacy/
Source: jsc.exe, 00000005.00000002.2652166085.00000000037B3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003378000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036CD000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033BA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033F7000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037C3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000394F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003961000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A46000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A56000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033CD000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000339F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003971000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A66000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003421000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.org/rules/
Source: jsc.exe, 00000005.00000002.2652166085.0000000003729000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jonathantwo.com
Source: jsc.exe, 00000005.00000002.2652166085.0000000003378000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003576000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000353E000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003570000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003383000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003816000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003729000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jonathantwo.com/0459bbcc9007d32f68bcaa0a07733f6e/6779d89b7a368f4f3f340b50a9d18d71.exe
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1840477814.0000000004844000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1897719580.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1841928255.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842704242.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1846731580.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1857680458.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1858930023.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845426366.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1878893276.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1840387590.0000000004813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://meet.crazyfigs.top/style/060.exe
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1857680458.000000000484F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://meet.crazyfigs.top/style/060.exe:
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1857680458.000000000484F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://meet.crazyfigs.top/style/060.exeU
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1840477814.0000000004844000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1897719580.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1841928255.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842704242.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1846731580.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1857680458.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1858930023.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845426366.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1878893276.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1840387590.0000000004813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://meet.crazyfigs.top/style/060.exeZ
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1897719580.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1857680458.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1858930023.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1879422507.00000000047D1000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1878893276.000000000484F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exe
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1897719580.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1878893276.000000000484F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exe$
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1897719580.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1857680458.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1858930023.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1878893276.000000000484F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exeJ
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1857680458.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1858930023.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1878893276.000000000484F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exeP
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1857680458.000000000484F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1858930023.000000000484F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exe_
Source: jsc.exe, 00000005.00000002.2652166085.00000000033A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003816000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://net.geo.opera.com
Source: jsc.exe, 00000005.00000002.2652166085.0000000003576000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033C6000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000035E0000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003816000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003564000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767__456
Source: jsc.exe, 00000005.00000002.2652166085.0000000003677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com
Source: jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/E0rY26ni
Source: jsc.exe, 00000005.00000002.2652166085.000000000334D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003576000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org
Source: jsc.exe, 00000005.00000002.2652166085.0000000003383000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000392A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000377D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000376D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000337C000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000378D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033DA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003667000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033AE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A31000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003362000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exe
Source: jsc.exe, 00000005.00000002.2652166085.00000000033C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exe-
Source: jsc.exe, 00000005.00000002.2652166085.00000000033DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000393B000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003576000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003408000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000378D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exe4k
Source: jsc.exe, 00000005.00000002.2652166085.00000000033A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exe6
Source: jsc.exe, 00000005.00000002.2652166085.000000000338A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exeG
Source: jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://realdeepai.org/6779d89b7a368f4f3f340b50a9d18d71.exeT
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1885320463.0000000002C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1885320463.0000000002C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: jsc.exe, 00000005.00000002.2652166085.000000000334D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003576000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A78000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000035E0000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000398B000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000379F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003816000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000399A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A72000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003985000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://skategirls.org
Source: jsc.exe, 00000005.00000002.2652166085.00000000033AA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033DE000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003344000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000393B000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A1F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003576000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003425000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033C6000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003404000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003911000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036B5000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000392A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000377D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000376D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033C2000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000378D000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033DA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003667000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://skategirls.org/baf14778c246e15550645e30ba78ce1c.exe
Source: jsc.exe, 00000005.00000002.2652166085.000000000393B000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A41000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000034C8000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000378D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://skategirls.org/baf14778c246e15550645e30ba78ce1c.exe4k
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1902074741.00000000047D6000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1900309198.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1903942245.0000000004822000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1902074741.00000000047EC000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1899256171.00000000047D6000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1902074741.00000000047E4000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1898388745.000000000480A000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1898388745.0000000004822000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1899256171.00000000047EC000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1904290505.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sun6-21.userapi.com/c909328/u5294803/docs/d12/fe00982d9cfb/crypted.bmp?extra=9gA9Mrstf6eDcBt
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1900309198.0000000002C49000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1904036476.0000000002BE9000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1898547764.0000000002BE7000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1899256171.00000000047D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sun6-22.userapi.com/c909518/u5294803/docs/d23/f3f574557e5d/crypted.bmp?extra=OZKsfqLr82JxeKr
Source: u5tg.0.exe, 0000000D.00000003.2149833618.000000002830B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: u5tg.0.exe, 0000000D.00000003.2149833618.000000002830B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: u5tg.0.exe, 0000000D.00000003.1837125505.00000000220ED000.00000004.00000020.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe
Source: u5tg.0.exe, 0000000D.00000003.1837125505.00000000220ED000.00000004.00000020.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1885320463.0000000002C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net/cad54ba5b01423b1af8ec10ab5719d97.exe
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1830855097.0000000002C25000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1832742969.0000000002C25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net:80/cad54ba5b01423b1af8ec10ab5719d97.exe
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1899256171.00000000047D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/browser_reports?dest=default_reports
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1898547764.0000000002C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc329118071_676580549?hash=pFVdCz3lOS502jpZ4S1mZuaA9EuN2MatBz9F2cxg7Ac&dl=ej7ecTKnt3
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1899256171.00000000047C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_668652542?hash=KlAQZ4zXtzzV5eLSZ1KaXKdCOpfsWxOfH5GyV92XrPL&dl=yPhjzrub8w5M
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1898547764.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1899256171.00000000047C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_668769608?hash=EJK4IigrO9hmPOkFxXqpLliN8ksP1vifJqKZbhFKHvw&dl=HyyWNdLGIElg
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1898547764.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1899256171.00000000047DF000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1899256171.00000000047C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_668771194?hash=7dzZFNgNMhFnf8UKhZ88SSJWzznhZJIEKWOI1nQNlbw&dl=jwd31UuZgmzf
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1899256171.00000000047C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_668776833?hash=0O6PF91bZH66jRdVdr0Yhs0vV73FDPMFrSckqwaaZuH&dl=PH90vp0b08Gc
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1904290505.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/doc329118071_676580549?hash=pFVdCz3lOS502jpZ4S1mZuaA9EuN2MatBz9F2cxg7Ac&dl=ej7ecTK
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1857791861.0000000002C51000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1843245371.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1900309198.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1851674958.0000000002C51000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1830797940.0000000002C52000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1885320463.0000000002C51000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1879784892.0000000002C50000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1849130242.0000000002C51000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1841023351.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1904290505.0000000002C4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/doc5294803_668771194?hash=7dzZFNgNMhFnf8UKhZ88SSJWzznhZJIEKWOI1nQNlbw&dl=jwd31UuZg
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1885320463.0000000002C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: u5tg.0.exe, 0000000D.00000003.1845625883.0000000001CC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: u5tg.0.exe, 0000000D.00000003.1845625883.0000000001CC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp, u5tg.0.exe, 0000000D.00000002.2456883549.0000000000549000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: u5tg.0.exe, 0000000D.00000003.2149833618.000000002830B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp, u5tg.0.exe, 0000000D.00000002.2456883549.0000000000549000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/VxHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0
Source: u5tg.0.exe, 0000000D.00000003.2149833618.000000002830B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp, u5tg.0.exe, 0000000D.00000002.2456883549.0000000000549000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: u5tg.0.exe, 0000000D.00000003.2149833618.000000002830B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp, u5tg.0.exe, 0000000D.00000002.2456883549.0000000000549000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp, u5tg.0.exe, 0000000D.00000002.2456883549.0000000000549000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: u5tg.0.exe, 0000000D.00000003.2149833618.000000002830B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
Source: jsc.exe, 00000005.00000002.2652166085.0000000003677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yip.su
Source: jsc.exe, 00000005.00000002.2652166085.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037C3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000394F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A46000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003971000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yip.su/RNWPd
Source: jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yip.su/RNWPd.exe
Source: 74fa486WVX.exe, 00000000.00000002.2151703138.0000022028635000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2485783994.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://yip.su/RNWPd.exeChttps://pastebin.com/raw/E0rY26ni5https://iplogger.com/1lyxz
Source: jsc.exe, 00000005.00000002.2652166085.00000000037B3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036F4000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003378000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036CD000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033BA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033F7000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000037C3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000394F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003961000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A46000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A56000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033CD000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.000000000339F000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003971000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003A66000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003421000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000033FB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yip.su/redirect-

Drops certificate files (DER)

Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Writes many files with high entropy

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\sbZAAkQuPWrpuYdmYbORf9Y6.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\4vR64vyt2Ms3IgZi0ogjOLiV.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\JHCkwUJwo6Iltf50o60nZ8hx.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\3HGHvoGBRy8IwCH7TQ5oNDqr.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\RzZ1TAV7aob3SPZILB2zbFdV.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\OJ7vhB3j6tgF31VZAdyq4RWP.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\rtlA3jJ7xsOUFL3iCVOy5VBX.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\r55PiUKSNGOgvzmsIZLcQBwY.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\hoW8r777x85abjsyeaeHujqA.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\Pz85N0MYtRF424XKuyeCstGT.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\rHhLiL9gsoGNTac83qTQnAj1.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\ggByZtgEK7bPtlfPMmThjScy.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\Pqxb61GGMG9M5KXBMaSXHEQD.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\5FQtA1wucts8Yrqmv9O6idz6.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\AKT0moXt1O8o3JAohyejb57d.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\eOQyZOmKZuhuxvZPOmSz9XIB.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\HZsXoAGbQU5SkUVczYhPFgdu.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\FTcNwu7k57Kjd8usAclVAWLT.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe entropy: 7.99614337359	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\SpQS37CFNzVuKGQ66NuQrhJF.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\jyloIqTsPwfd1DkPDg38NoEm.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\kNL4FzXHKA5mrztWPDWWEYhW.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\hbVjMJXKMfxChI8EPArRZgag.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\IZNKVd1kbYfgYPSMbP2rCCcY.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\rSrR1mkcaBul2YC2PFGskQPW.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\L3lOBa8F6zHswmHocPmpzPVx.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\01Zkr9Pqv75RBBPAfRuOcR8W.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\RztCbUmZBnVI5vwgknk1v9gl.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\mbmPnV0wgL2OU39u2KeIn4Tf.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\qemktTHoQLUy5osCZbbDQLZi.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\649FP6erIG3uUfhR0wTmAGh3.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\9WWcfdyLrpl90TvY0F1B4pln.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\nFOnvesIq7VabzyMeGzHz4bu.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\alSkRSPtoedHGl3kbYeLvhn9.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\TQgruOoGIXZNEz8bpXbMq0nS.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\ZDmJyG6Fh6EWKl8nRZuWAf5m.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\sVO8CirTx1P1PYp8b2HKbfci.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\pnOUyTpcHaCPBGC0NY6Ey4tl.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\l6tkmwjdUErRj2XjAOLUSPtS.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\MudDF159gEyKHU6eFD2BtmnO.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\VOj2XP57pkkframg3VKI0bnJ.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\ORwSCErwlmZJgHX8RlZwnqzW.exe entropy: 7.99614337359	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\7tTJzEy4dI9u65vrU8cvsIiD.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\snaftQ9InX6HRaN4agnWr7Oj.exe entropy: 7.99588046843	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\grabber[1].exe entropy: 7.99564568557	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\R44UL53NQLGR3F7y7U28BpiH.exe entropy: 7.99564568557	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\setup[1].exe entropy: 7.99617939742	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\f57Lg9cgmr2hMVAKkSa_5EEF.exe entropy: 7.99617939742	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\060[1].exe entropy: 7.99870917991	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\mznEpIhRkhM45E5OaaApcXfQ.exe entropy: 7.99870917991	Jump to dropped file
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Opera_109.0.5097.45_Autoupdate_x64[1].exe entropy: 7.99999275562	Jump to dropped file
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154301\opera_package entropy: 7.99999275562	Jump to dropped file
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Assistant_109.0.5097.45_Setup[1].exe entropy: 7.99454240908	Jump to dropped file
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154301\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe (copy) entropy: 7.99454240908	Jump to dropped file
Source: C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Opera_109.0.5097.45_Autoupdate_x64[1].exe entropy: 7.99997374199	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000001B.00000002.2697849713.0000000001D8F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000024.00000002.2385174033.0000000003700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000021.00000002.2541502193.0000000001B6F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000021.00000002.2582257953.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000002C.00000002.2646335741.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000028.00000002.2549286327.0000000001AFF000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001C.00000002.2410411723.0000000003710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000002C.00000002.2610649931.0000000001B5F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000D.00000002.2473349170.0000000001C0F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000012.00000002.2514906491.0000000001D0F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000A.00000002.2365313728.0000000001A7F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001B.00000002.2640607262.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000001A.00000002.2561322038.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000024.00000002.2384676692.0000000001D7F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001A.00000002.2512953464.0000000001B4F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001D.00000002.2432721471.0000000003650000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000A.00000002.2391779693.0000000003690000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000028.00000002.2577993326.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000001C.00000002.2378252720.0000000001B2F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000012.00000002.2555300545.0000000003590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000001D.00000002.2405210510.0000000001BFF000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000D.00000002.2470863926.0000000001BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: C:\Users\user\Documents\SimpleAdobe\CCN3NQ4YsQxXhtmcSRpYcrYn.exe, type: DROPPED	Matched rule: Detects zgRAT Author: ditekSHen

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6837B8C0 rand_s,NtQueryVirtualMemory,	13_2_6837B8C0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6837B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	13_2_6837B910
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6831F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	13_2_6831F280
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6833ED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset,	13_2_6833ED10
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6837B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	13_2_6837B700

Creates files inside the system directory

Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Windows\System32\GroupPolicy\gpt.ini
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Windows\System32\GroupPolicy\Machine
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Windows\System32\GroupPolicy\User
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Windows\System32\GroupPolicy\Machine\Registry.pol

Detected potential crypto function

Source: C:\Users\user\Desktop\74fa486WVX.exe	Code function: 0_2_00007FFD9B872B90	0_2_00007FFD9B872B90
Source: C:\Users\user\Desktop\74fa486WVX.exe	Code function: 0_2_00007FFD9B874BD0	0_2_00007FFD9B874BD0
Source: C:\Users\user\Desktop\74fa486WVX.exe	Code function: 0_2_00007FFD9B874B20	0_2_00007FFD9B874B20
Source: C:\Users\user\Desktop\74fa486WVX.exe	Code function: 0_2_00007FFD9B8851FA	0_2_00007FFD9B8851FA
Source: C:\Users\user\Desktop\74fa486WVX.exe	Code function: 0_2_00007FFD9B87C179	0_2_00007FFD9B87C179
Source: C:\Users\user\Desktop\74fa486WVX.exe	Code function: 0_2_00007FFD9B878FB8	0_2_00007FFD9B878FB8
Source: C:\Users\user\Desktop\74fa486WVX.exe	Code function: 0_2_00007FFD9B878FC0	0_2_00007FFD9B878FC0
Source: C:\Users\user\Desktop\74fa486WVX.exe	Code function: 0_2_00007FFD9B876F20	0_2_00007FFD9B876F20
Source: C:\Users\user\Desktop\74fa486WVX.exe	Code function: 0_2_00007FFD9B888F5A	0_2_00007FFD9B888F5A
Source: C:\Users\user\Desktop\74fa486WVX.exe	Code function: 0_2_00007FFD9B87C601	0_2_00007FFD9B87C601
Source: C:\Users\user\Desktop\74fa486WVX.exe	Code function: 0_2_00007FFD9B87F599	0_2_00007FFD9B87F599
Source: C:\Users\user\Desktop\74fa486WVX.exe	Code function: 0_2_00007FFD9B880C2A	0_2_00007FFD9B880C2A
Source: C:\Users\user\Desktop\74fa486WVX.exe	Code function: 0_2_00007FFD9B885247	0_2_00007FFD9B885247
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0041B84B	10_2_0041B84B
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0040BA80	10_2_0040BA80
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0040C2AC	10_2_0040C2AC
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_004123A0	10_2_004123A0
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0040F441	10_2_0040F441
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0040BD2A	10_2_0040BD2A
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0042153C	10_2_0042153C
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0040C6A0	10_2_0040C6A0
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_00408761	10_2_00408761
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0041BF69	10_2_0041BF69
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0040B70E	10_2_0040B70E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0040BFF1	10_2_0040BFF1
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0369C258	10_2_0369C258
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_036ABAB2	10_2_036ABAB2
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0369B975	10_2_0369B975
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0369C907	10_2_0369C907
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_036989C8	10_2_036989C8
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0369BF91	10_2_0369BF91
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_036A2607	10_2_036A2607
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0369F6A8	10_2_0369F6A8
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0369C513	10_2_0369C513
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0369BCE7	10_2_0369BCE7
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_683135A0	13_2_683135A0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6835B820	13_2_6835B820
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68364820	13_2_68364820
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68327810	13_2_68327810
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6835F070	13_2_6835F070
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68338850	13_2_68338850
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6833D850	13_2_6833D850
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_683460A0	13_2_683460A0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6833C0E0	13_2_6833C0E0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_683558E0	13_2_683558E0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_683850C7	13_2_683850C7
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6836B970	13_2_6836B970
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6838B170	13_2_6838B170
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6832D960	13_2_6832D960
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6833A940	13_2_6833A940
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6834D9B0	13_2_6834D9B0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6831C9A0	13_2_6831C9A0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68355190	13_2_68355190
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68372990	13_2_68372990
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68359A60	13_2_68359A60
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6832CAB0	13_2_6832CAB0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68382AB0	13_2_68382AB0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_683122A0	13_2_683122A0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68344AA0	13_2_68344AA0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6838BA90	13_2_6838BA90
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68331AF0	13_2_68331AF0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6835E2F0	13_2_6835E2F0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68358AC0	13_2_68358AC0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6835D320	13_2_6835D320
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6832C370	13_2_6832C370
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68315340	13_2_68315340
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6831F380	13_2_6831F380
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_683853C8	13_2_683853C8
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6838542B	13_2_6838542B
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68355C10	13_2_68355C10
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68362C10	13_2_68362C10
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6838AC00	13_2_6838AC00
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6838545C	13_2_6838545C
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68325440	13_2_68325440
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_683734A0	13_2_683734A0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6837C4A0	13_2_6837C4A0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68326C80	13_2_68326C80
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68356CF0	13_2_68356CF0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6831D4E0	13_2_6831D4E0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6833D4D0	13_2_6833D4D0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_683264C0	13_2_683264C0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6833ED10	13_2_6833ED10
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68340512	13_2_68340512
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6832FD00	13_2_6832FD00
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_683785F0	13_2_683785F0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68350DD0	13_2_68350DD0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68379E30	13_2_68379E30
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68357E10	13_2_68357E10
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68365600	13_2_68365600
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6831C670	13_2_6831C670
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68386E63	13_2_68386E63
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68339E50	13_2_68339E50
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68353E50	13_2_68353E50
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68334640	13_2_68334640
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68362E4E	13_2_68362E4E
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68374EA0	13_2_68374EA0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68335E90	13_2_68335E90
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6837E680	13_2_6837E680
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6831BEF0	13_2_6831BEF0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6832FEF0	13_2_6832FEF0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_683876E3	13_2_683876E3
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68357710	13_2_68357710
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68329F00	13_2_68329F00
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_683677A0	13_2_683677A0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68346FF0	13_2_68346FF0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6831DFE0	13_2_6831DFE0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_684B4840	13_2_684B4840
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68430820	13_2_68430820
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6846A820	13_2_6846A820
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_684E68E0	13_2_684E68E0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68418960	13_2_68418960
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68436900	13_2_68436900
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_684FC9E0	13_2_684FC9E0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_684149F0	13_2_684149F0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_684709A0	13_2_684709A0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6849A9A0	13_2_6849A9A0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_684A09B0	13_2_684A09B0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6845CA70	13_2_6845CA70
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6848EA00	13_2_6848EA00
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_68498A30	13_2_68498A30
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6845EA80	13_2_6845EA80

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: String function: 683594D0 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: String function: 6834CBE8 appears 134 times
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: String function: 004043B0 appears 316 times
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: String function: 004275A4 appears 43 times
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: String function: 03699F27 appears 48 times
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: String function: 00409CC0 appears 48 times
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: String function: 036B780B appears 43 times

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 468 -p 6560 -ip 6560

PE / OLE file has an invalid certificate

Source: 74fa486WVX.exe

Static PE information: invalid certificate

PE file contains executable resources (Code or Archives)

Source: 55U4oAfoSKfHUd9zgALXnYnz.exe.5.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: 2HHKIWZutF51ekTbTCJmdsQD.exe.5.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: EMeQ5ybqCaVICeTV8FEwhv9X.exe.5.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: E626JU8WedF91dS47oNi5eLU.exe.5.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: JFMKbtzEUpmtpv6BsSkbHYie.exe.5.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: k37bNecnFhzJYNbz2EjRPf6F.exe.5.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: G05ti52FimNWGW59YzUlmrp6.exe.5.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows

PE file does not import any functions

Source: 74fa486WVX.exe

Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: 74fa486WVX.exe, 00000000.00000002.2151703138.0000022028635000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNew.exe" vs 74fa486WVX.exe
Source: 74fa486WVX.exe, 00000000.00000002.2214064369.00000220386EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUratuzuvopuqebaL vs 74fa486WVX.exe
Source: 74fa486WVX.exe, 00000000.00000000.1650060523.00000220268A2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUnadumom4 vs 74fa486WVX.exe
Source: 74fa486WVX.exe, 00000000.00000002.2114365937.0000022026C20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameUratuzuvopuqebaL vs 74fa486WVX.exe

Yara signature match

Source: 0000001B.00000002.2697849713.0000000001D8F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000024.00000002.2385174033.0000000003700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000021.00000002.2541502193.0000000001B6F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000021.00000002.2582257953.00000000035C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000002C.00000002.2646335741.00000000035B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000028.00000002.2549286327.0000000001AFF000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001C.00000002.2410411723.0000000003710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000002C.00000002.2610649931.0000000001B5F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000D.00000002.2473349170.0000000001C0F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000012.00000002.2514906491.0000000001D0F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000A.00000002.2365313728.0000000001A7F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001B.00000002.2640607262.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000001A.00000002.2561322038.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000024.00000002.2384676692.0000000001D7F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001A.00000002.2512953464.0000000001B4F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001D.00000002.2432721471.0000000003650000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000A.00000002.2391779693.0000000003690000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000028.00000002.2577993326.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000001C.00000002.2378252720.0000000001B2F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000012.00000002.2555300545.0000000003590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000001D.00000002.2405210510.0000000001BFF000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000D.00000002.2470863926.0000000001BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: C:\Users\user\Documents\SimpleAdobe\CCN3NQ4YsQxXhtmcSRpYcrYn.exe, type: DROPPED	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: 74fa486WVX.exe, ExcludeFromCodeCoverageAttributeCookies.cs

Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@278/489@0/45

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe

Code function: 13_2_68377030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

13_2_68377030

Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe

Code function: 10_2_01A7FB3E CreateToolhelp32Snapshot,Module32First,

10_2_01A7FB3E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

File created: C:\Users\user\AppData\Local\Bc4dcTAjyvtQ9T6PrR3f0uzO.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7884:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Mutant created: NULL
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Opera/Installer/C:/Users/user/AppData/Local/Programs/Opera
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6560
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Mutant created: \Sessions\1\BaseNamedObjects\JarakHalgWW_12
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6320:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zkjrml4p.bbo.ps1

Jump to behavior

Source: Yara match	File source: 00000021.00000003.2412282154.0000000004545000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.2045418362.00000000043FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000003.2296560016.000000000453A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2316207259.00000000042B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2072692337.000000000453A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.2310300972.000000000454F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000003.2312742007.0000000004530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000003.2526760586.0000000004547000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u220.1.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u5tg.1.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u5v0.1.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u2e8.1.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u4n4.1.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u57c.1.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u278.1.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u2cs.1.exe, type: DROPPED

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0ubCN0EnMhpbd0TzRf4EeeM3.bat" "

Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: one	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: one	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: two	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: two	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: three	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: three	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: four	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: four	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: five	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: five	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: six	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: six	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: seven	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: seven	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: eight	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: eight	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: nine	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: nine	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: ten	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: ten	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: one	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: two	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: three	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: four	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: five	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: six	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: seven	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: eight	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: nine	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: ten	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.90	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.90	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.90	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: Installed	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: Installed	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.228	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.228	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.228	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.59	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.59	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: /syncUpd.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: /syncUpd.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.59	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: /syncUpd.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: /1/Qg_Appv5.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: /1/Qg_Appv5.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: /1/Qg_Appv5.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: Qg_Appv5.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: Qg_Appv5.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.228	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.228	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: /BroomSetup.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: /BroomSetup.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.228	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: /BroomSetup.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: @	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: one	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: one	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: two	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: two	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: five	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: five	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: seven	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: seven	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: eight	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: eight	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: nine	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: nine	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: ten	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: ten	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.90	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.90	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.90	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: Installed	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: Installed	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.228	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.228	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.228	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.59	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.59	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: /syncUpd.exe	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: /syncUpd.exe	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.59	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: /syncUpd.exe	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: /1/Qg_Appv5.exe	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: /1/Qg_Appv5.exe	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: /1/Qg_Appv5.exe	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: Qg_Appv5.exe	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: Qg_Appv5.exe	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.228	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.228	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: /BroomSetup.exe	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: /BroomSetup.exe	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: 185.172.128.228	10_2_036B4DA5
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Command line argument: /BroomSetup.exe	10_2_036B4DA5

Source: 74fa486WVX.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\74fa486WVX.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\74fa486WVX.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1750675756.0000000001F90000.00000004.00001000.00020000.00000000.sdmp, RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140001000.00000040.00000001.01000000.00000010.sdmp, RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000003.1878955386.0000000002310000.00000004.00001000.00020000.00000000.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140001000.00000040.00000001.01000000.00000011.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000003.1881772591.0000000000400000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1750675756.0000000001F90000.00000004.00001000.00020000.00000000.sdmp, RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140001000.00000040.00000001.01000000.00000010.sdmp, RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000003.1878955386.0000000002310000.00000004.00001000.00020000.00000000.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140001000.00000040.00000001.01000000.00000011.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000003.1881772591.0000000000400000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: u5tg.0.exe, 0000000D.00000002.2577329483.000000001C02E000.00000004.00000020.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2709657411.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2735000647.000000006856F000.00000002.00000001.01000000.00000026.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: u5tg.0.exe, 0000000D.00000002.2577329483.000000001C02E000.00000004.00000020.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2709657411.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2735000647.000000006856F000.00000002.00000001.01000000.00000026.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: u5tg.0.exe, 0000000D.00000002.2577329483.000000001C02E000.00000004.00000020.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2709657411.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2735000647.000000006856F000.00000002.00000001.01000000.00000026.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: u5tg.0.exe, 0000000D.00000002.2577329483.000000001C02E000.00000004.00000020.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2709657411.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2735000647.000000006856F000.00000002.00000001.01000000.00000026.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: u5tg.0.exe, u5tg.0.exe, 0000000D.00000002.2577329483.000000001C02E000.00000004.00000020.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2709657411.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2735000647.000000006856F000.00000002.00000001.01000000.00000026.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: u5tg.0.exe, 0000000D.00000002.2577329483.000000001C02E000.00000004.00000020.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2709657411.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: u5tg.0.exe, 0000000D.00000002.2577329483.000000001C02E000.00000004.00000020.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2709657411.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2735000647.000000006856F000.00000002.00000001.01000000.00000026.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: u5tg.0.exe, 0000000D.00000002.2577329483.000000001C02E000.00000004.00000020.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2709657411.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: u5tg.0.exe, 0000000D.00000002.2577329483.000000001C02E000.00000004.00000020.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000002.2709657411.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: 74fa486WVX.exe	ReversingLabs: Detection: 21%
Source: 74fa486WVX.exe	Virustotal: Detection: 26%

Source: C:\Users\user\Desktop\74fa486WVX.exe

File read: C:\Users\user\Desktop\74fa486WVX.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\74fa486WVX.exe "C:\Users\user\Desktop\74fa486WVX.exe"
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\74fa486WVX.exe" -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 468 -p 6560 -ip 6560
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6560 -s 1104
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe "C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe "C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe"
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Process created: C:\Users\user\AppData\Local\Temp\u5tg.0.exe "C:\Users\user\AppData\Local\Temp\u5tg.0.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetSvcs -p -s NcaSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\eXNDeRDst4kQrDZC4an0uq9f.exe "C:\Users\user\Pictures\eXNDeRDst4kQrDZC4an0uq9f.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\LnpUuX1UZxpX7wm3ojkkhPdD.exe "C:\Users\user\Pictures\LnpUuX1UZxpX7wm3ojkkhPdD.exe"
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0ubCN0EnMhpbd0TzRf4EeeM3.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\0Q5dKppSpEUoGQyfKKa0z3T3.exe "C:\Users\user\Pictures\0Q5dKppSpEUoGQyfKKa0z3T3.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\BqrcKabb3rjHWiGgZhhaSqKx.exe "C:\Users\user\Pictures\BqrcKabb3rjHWiGgZhhaSqKx.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\RztCbUmZBnVI5vwgknk1v9gl.exe "C:\Users\user\Pictures\RztCbUmZBnVI5vwgknk1v9gl.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\oBwm3xYVYadvvyPM22CjpgTr.exe "C:\Users\user\Pictures\oBwm3xYVYadvvyPM22CjpgTr.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\GnP27p1NAAqpGRO5fkWggl4G.exe "C:\Users\user\Pictures\GnP27p1NAAqpGRO5fkWggl4G.exe"
Source: C:\Users\user\Pictures\eXNDeRDst4kQrDZC4an0uq9f.exe	Process created: C:\Users\user\AppData\Local\Temp\u5lo.0.exe "C:\Users\user\AppData\Local\Temp\u5lo.0.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\aLJAULt319f3yelZ9yHcLLmp.exe "C:\Users\user\Pictures\aLJAULt319f3yelZ9yHcLLmp.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe "C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\l6tkmwjdUErRj2XjAOLUSPtS.exe "C:\Users\user\Pictures\l6tkmwjdUErRj2XjAOLUSPtS.exe"
Source: C:\Users\user\Pictures\LnpUuX1UZxpX7wm3ojkkhPdD.exe	Process created: C:\Users\user\AppData\Local\Temp\u220.0.exe "C:\Users\user\AppData\Local\Temp\u220.0.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\VOj2XP57pkkframg3VKI0bnJ.exe "C:\Users\user\Pictures\VOj2XP57pkkframg3VKI0bnJ.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\ucyz2FBrS2ZmSVbb1v4MylBp.exe "C:\Users\user\Pictures\ucyz2FBrS2ZmSVbb1v4MylBp.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe "C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe" --silent --allusers=0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\snaftQ9InX6HRaN4agnWr7Oj.exe "C:\Users\user\Pictures\snaftQ9InX6HRaN4agnWr7Oj.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe "C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe "C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\ZD1fmOCLpyrjNES6gIPEm8BD.exe "C:\Users\user\Pictures\ZD1fmOCLpyrjNES6gIPEm8BD.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe "C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\pBXyZagaHAQQrhw6oBm3PDRx.exe "C:\Users\user\Pictures\pBXyZagaHAQQrhw6oBm3PDRx.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe "C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe" --silent --allusers=0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\RyhY8hIGZEZNYbghQkrpaTbg.exe "C:\Users\user\Pictures\RyhY8hIGZEZNYbghQkrpaTbg.exe"
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\74fa486WVX.exe" -Force	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe "C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe "C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\RztCbUmZBnVI5vwgknk1v9gl.exe "C:\Users\user\Pictures\RztCbUmZBnVI5vwgknk1v9gl.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\oBwm3xYVYadvvyPM22CjpgTr.exe "C:\Users\user\Pictures\oBwm3xYVYadvvyPM22CjpgTr.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\GnP27p1NAAqpGRO5fkWggl4G.exe "C:\Users\user\Pictures\GnP27p1NAAqpGRO5fkWggl4G.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\aLJAULt319f3yelZ9yHcLLmp.exe "C:\Users\user\Pictures\aLJAULt319f3yelZ9yHcLLmp.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe "C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\l6tkmwjdUErRj2XjAOLUSPtS.exe "C:\Users\user\Pictures\l6tkmwjdUErRj2XjAOLUSPtS.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\VOj2XP57pkkframg3VKI0bnJ.exe "C:\Users\user\Pictures\VOj2XP57pkkframg3VKI0bnJ.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\ucyz2FBrS2ZmSVbb1v4MylBp.exe "C:\Users\user\Pictures\ucyz2FBrS2ZmSVbb1v4MylBp.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe "C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe" --silent --allusers=0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\snaftQ9InX6HRaN4agnWr7Oj.exe "C:\Users\user\Pictures\snaftQ9InX6HRaN4agnWr7Oj.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe "C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe "C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\ZD1fmOCLpyrjNES6gIPEm8BD.exe "C:\Users\user\Pictures\ZD1fmOCLpyrjNES6gIPEm8BD.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe "C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\pBXyZagaHAQQrhw6oBm3PDRx.exe "C:\Users\user\Pictures\pBXyZagaHAQQrhw6oBm3PDRx.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe "C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe" --silent --allusers=0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\RyhY8hIGZEZNYbghQkrpaTbg.exe "C:\Users\user\Pictures\RyhY8hIGZEZNYbghQkrpaTbg.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe "C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 468 -p 6560 -ip 6560
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6560 -s 1104
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Process created: C:\Users\user\AppData\Local\Temp\u5tg.0.exe "C:\Users\user\AppData\Local\Temp\u5tg.0.exe"
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\eXNDeRDst4kQrDZC4an0uq9f.exe	Process created: C:\Users\user\AppData\Local\Temp\u5lo.0.exe "C:\Users\user\AppData\Local\Temp\u5lo.0.exe"
Source: C:\Users\user\Pictures\LnpUuX1UZxpX7wm3ojkkhPdD.exe	Process created: C:\Users\user\AppData\Local\Temp\u220.0.exe "C:\Users\user\AppData\Local\Temp\u220.0.exe"
Source: C:\Users\user\Pictures\LnpUuX1UZxpX7wm3ojkkhPdD.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\GnP27p1NAAqpGRO5fkWggl4G.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\GnP27p1NAAqpGRO5fkWggl4G.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\aLJAULt319f3yelZ9yHcLLmp.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\aLJAULt319f3yelZ9yHcLLmp.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\ucyz2FBrS2ZmSVbb1v4MylBp.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\ucyz2FBrS2ZmSVbb1v4MylBp.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	Process created: C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe "C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe"
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\ZD1fmOCLpyrjNES6gIPEm8BD.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\ZD1fmOCLpyrjNES6gIPEm8BD.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\RyhY8hIGZEZNYbghQkrpaTbg.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\RyhY8hIGZEZNYbghQkrpaTbg.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: napinsp.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: wshbth.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: winrnr.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: napinsp.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: wshbth.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: winrnr.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: napinsp.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: wshbth.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: winrnr.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: wldp.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: propsys.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: profapi.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Section loaded: edputil.dll

Source: C:\Users\user\Desktop\74fa486WVX.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe

File written: C:\Windows\System32\GroupPolicy\gpt.ini

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\74fa486WVX.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Source: 74fa486WVX.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: 74fa486WVX.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 74fa486WVX.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: u5tg.0.exe, 0000000D.00000002.2733626903.000000006838D000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: RC:\nedadovisiguc\bibufedepisoh\jegode\yapogiboj\hi.pdb source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842065324.0000000004861000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1844688555.0000000004FFD000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1846372753.0000000005044000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842247378.0000000004862000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1847791034.0000000005364000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1844688555.0000000004FD3000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845850142.0000000005044000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wextract.pdb source: jsc.exe, 00000005.00000002.2652166085.000000000338A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003ABB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003383000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003362000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: u5tg.0.exe, 0000000D.00000002.2735000647.000000006856F000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: E:\HD_Audio\VS2005\Resetup\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdbP@n@ `@_CorExeMainmscoree.dll source: RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140238000.00000040.00000001.01000000.00000010.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140238000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\yicukewiceyal\ge.pdb source: aD6tv7fY2lQHgM7IuiL9Hw1Z.exe, 0000000A.00000003.1744695734.0000000003741000.00000004.00000020.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000000.1743563423.000000000041B000.00000002.00000001.01000000.00000009.sdmp, eXNDeRDst4kQrDZC4an0uq9f.exe, 00000011.00000003.1874006266.0000000003801000.00000004.00000020.00020000.00000000.sdmp, LnpUuX1UZxpX7wm3ojkkhPdD.exe, 00000012.00000003.1886502011.0000000003771000.00000004.00000020.00020000.00000000.sdmp, GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.1932534592.00000000037C1000.00000004.00000020.00020000.00000000.sdmp, u5lo.0.exe, 0000001B.00000000.1862492427.000000000041B000.00000002.00000001.01000000.00000013.sdmp, aLJAULt319f3yelZ9yHcLLmp.exe, 0000001C.00000003.1964468154.0000000003781000.00000004.00000020.00020000.00000000.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000003.1957327331.0000000003831000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\HD_Audio\VS2005\Resetup\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb source: RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140238000.00000040.00000001.01000000.00000010.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140238000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1843997507.00000000050C3000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1841694299.0000000004FFD000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842489395.0000000005051000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1841790509.00000000048AE000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842382816.0000000005051000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\yixeki-ciguwan38_buyej\jobo.pdb source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845157813.0000000004F61000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1838884651.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1838884651.0000000004888000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1840311650.00000000048E8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140447000.00000040.00000001.01000000.00000010.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140447000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\nedadovisiguc\bibufedepisoh\jegode\yapogiboj\hi.pdb source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842065324.0000000004861000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1844688555.0000000004FFD000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1846372753.0000000005044000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1842247378.0000000004862000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1847791034.0000000005364000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1844688555.0000000004FD3000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1845850142.0000000005044000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: u5tg.0.exe, 0000000D.00000002.2733626903.000000006838D000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: C:\javagevo77\xonete\zedikacap-kumefuhan_yevezocusir\nisev.pdb source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1884648951.0000000004F61000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1878460153.0000000004862000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wextract.pdbH source: jsc.exe, 00000005.00000002.2652166085.000000000338A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003ABB000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003383000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003311000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.0000000003362000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\x64\Release\XBundlerTlsHelper.pdb source: RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140265000.00000040.00000001.01000000.00000010.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140265000.00000040.00000001.01000000.00000011.sdmp, l6tkmwjdUErRj2XjAOLUSPtS.exe, 0000001E.00000002.2152673578.0000000140265000.00000040.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\TestProject\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb source: RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140243000.00000040.00000001.01000000.00000010.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140243000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\TestProject\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb,ANA @A_CorExeMainmscoree.dll source: RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140243000.00000040.00000001.01000000.00000010.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140243000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: DC:\yicukewiceyal\ge.pdb source: aD6tv7fY2lQHgM7IuiL9Hw1Z.exe, 0000000A.00000003.1744695734.0000000003741000.00000004.00000020.00020000.00000000.sdmp, u5tg.0.exe, 0000000D.00000000.1743563423.000000000041B000.00000002.00000001.01000000.00000009.sdmp, eXNDeRDst4kQrDZC4an0uq9f.exe, 00000011.00000003.1874006266.0000000003801000.00000004.00000020.00020000.00000000.sdmp, LnpUuX1UZxpX7wm3ojkkhPdD.exe, 00000012.00000003.1886502011.0000000003771000.00000004.00000020.00020000.00000000.sdmp, GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.1932534592.00000000037C1000.00000004.00000020.00020000.00000000.sdmp, u5lo.0.exe, 0000001B.00000000.1862492427.000000000041B000.00000002.00000001.01000000.00000013.sdmp, aLJAULt319f3yelZ9yHcLLmp.exe, 0000001C.00000003.1964468154.0000000003781000.00000004.00000020.00020000.00000000.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000003.1957327331.0000000003831000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140447000.00000040.00000001.01000000.00000010.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140447000.00000040.00000001.01000000.00000011.sdmp
Source:	Binary string: LNC:\noyofalivam\xeguhukur.pdb source: jsc.exe, 00000005.00000002.2967048972.0000000004619000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2967048972.0000000004319000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000034DA000.00000004.00000800.00020000.00000000.sdmp, aD6tv7fY2lQHgM7IuiL9Hw1Z.exe, 0000000A.00000002.2365446136.0000000001AB8000.00000004.00000020.00020000.00000000.sdmp, aD6tv7fY2lQHgM7IuiL9Hw1Z.exe, 0000000A.00000000.1700515452.000000000041B000.00000002.00000001.01000000.00000007.sdmp, eXNDeRDst4kQrDZC4an0uq9f.exe, 00000011.00000000.1779339552.000000000041B000.00000002.00000001.01000000.0000000C.sdmp, LnpUuX1UZxpX7wm3ojkkhPdD.exe, 00000012.00000002.2528541137.0000000001D48000.00000004.00000020.00020000.00000000.sdmp, LnpUuX1UZxpX7wm3ojkkhPdD.exe, 00000012.00000000.1825118600.000000000041B000.00000002.00000001.01000000.0000000D.sdmp, GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000000.1855770656.000000000041B000.00000002.00000001.01000000.00000012.sdmp, GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000002.2525303834.0000000001B88000.00000004.00000020.00020000.00000000.sdmp, aLJAULt319f3yelZ9yHcLLmp.exe, 0000001C.00000002.2381563199.0000000001B68000.00000004.00000020.00020000.00000000.sdmp, aLJAULt319f3yelZ9yHcLLmp.exe, 0000001C.00000000.1862402151.000000000041B000.00000002.00000001.01000000.00000014.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000000.1866064043.000000000041B000.00000002.00000001.01000000.00000015.sdmp, RyhY8hIGZEZNYbghQkrpaTbg.exe, 0000002C.00000000.1954578069.000000000041B000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: C:\noyofalivam\xeguhukur.pdb source: jsc.exe, 00000005.00000002.2967048972.0000000004619000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2967048972.0000000004319000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000005.00000002.2652166085.00000000034DA000.00000004.00000800.00020000.00000000.sdmp, aD6tv7fY2lQHgM7IuiL9Hw1Z.exe, 0000000A.00000002.2365446136.0000000001AB8000.00000004.00000020.00020000.00000000.sdmp, aD6tv7fY2lQHgM7IuiL9Hw1Z.exe, 0000000A.00000000.1700515452.000000000041B000.00000002.00000001.01000000.00000007.sdmp, eXNDeRDst4kQrDZC4an0uq9f.exe, 00000011.00000000.1779339552.000000000041B000.00000002.00000001.01000000.0000000C.sdmp, LnpUuX1UZxpX7wm3ojkkhPdD.exe, 00000012.00000002.2528541137.0000000001D48000.00000004.00000020.00020000.00000000.sdmp, LnpUuX1UZxpX7wm3ojkkhPdD.exe, 00000012.00000000.1825118600.000000000041B000.00000002.00000001.01000000.0000000D.sdmp, GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000000.1855770656.000000000041B000.00000002.00000001.01000000.00000012.sdmp, GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000002.2525303834.0000000001B88000.00000004.00000020.00020000.00000000.sdmp, aLJAULt319f3yelZ9yHcLLmp.exe, 0000001C.00000002.2381563199.0000000001B68000.00000004.00000020.00020000.00000000.sdmp, aLJAULt319f3yelZ9yHcLLmp.exe, 0000001C.00000000.1862402151.000000000041B000.00000002.00000001.01000000.00000014.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000000.1866064043.000000000041B000.00000002.00000001.01000000.00000015.sdmp, RyhY8hIGZEZNYbghQkrpaTbg.exe, 0000002C.00000000.1954578069.000000000041B000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: 8>C:\javagevo77\xonete\zedikacap-kumefuhan_yevezocusir\nisev.pdb source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1884648951.0000000004F61000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1878460153.0000000004862000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: GC:\bivonare pif.pdb source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1869958857.0000000006711000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1858482387.0000000004F61000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1859853643.000000000516F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1862956028.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1864705767.0000000005361000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1860935215.0000000005365000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1855540860.0000000004831000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1865504661.00000000063A7000.00000004.00000020.00020000.00000000.sdmp, 0Q5dKppSpEUoGQyfKKa0z3T3.exe, 00000015.00000000.1826680480.000000000041B000.00000002.00000001.01000000.0000000E.sdmp, BqrcKabb3rjHWiGgZhhaSqKx.exe, 00000016.00000000.1826692672.000000000041B000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: nss3.pdb source: u5tg.0.exe, 0000000D.00000002.2735000647.000000006856F000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: C:\bivonare pif.pdb source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1869958857.0000000006711000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1858482387.0000000004F61000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1859853643.000000000516F000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1862956028.00000000056CF000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1864705767.0000000005361000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1860935215.0000000005365000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1855540860.0000000004831000.00000004.00000020.00020000.00000000.sdmp, 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1865504661.00000000063A7000.00000004.00000020.00020000.00000000.sdmp, 0Q5dKppSpEUoGQyfKKa0z3T3.exe, 00000015.00000000.1826680480.000000000041B000.00000002.00000001.01000000.0000000E.sdmp, BqrcKabb3rjHWiGgZhhaSqKx.exe, 00000016.00000000.1826692672.000000000041B000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: ".pdb source: RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1889157654.0000000140447000.00000040.00000001.01000000.00000010.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.2040484936.0000000140447000.00000040.00000001.01000000.00000011.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Unpacked PE file: 10.2.aD6tv7fY2lQHgM7IuiL9Hw1Z.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Unpacked PE file: 13.2.u5tg.0.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\Pictures\LnpUuX1UZxpX7wm3ojkkhPdD.exe	Unpacked PE file: 18.2.LnpUuX1UZxpX7wm3ojkkhPdD.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Pictures\RztCbUmZBnVI5vwgknk1v9gl.exe	Unpacked PE file: 23.2.RztCbUmZBnVI5vwgknk1v9gl.exe.140000000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\Pictures\oBwm3xYVYadvvyPM22CjpgTr.exe	Unpacked PE file: 24.2.oBwm3xYVYadvvyPM22CjpgTr.exe.140000000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\Pictures\GnP27p1NAAqpGRO5fkWggl4G.exe	Unpacked PE file: 26.2.GnP27p1NAAqpGRO5fkWggl4G.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\u5lo.0.exe	Unpacked PE file: 27.2.u5lo.0.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\Pictures\aLJAULt319f3yelZ9yHcLLmp.exe	Unpacked PE file: 28.2.aLJAULt319f3yelZ9yHcLLmp.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe	Unpacked PE file: 29.2.x2VAVd7wCFKvEJ20FLblB74a.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Pictures\l6tkmwjdUErRj2XjAOLUSPtS.exe	Unpacked PE file: 30.2.l6tkmwjdUErRj2XjAOLUSPtS.exe.140000000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\Pictures\VOj2XP57pkkframg3VKI0bnJ.exe	Unpacked PE file: 32.2.VOj2XP57pkkframg3VKI0bnJ.exe.140000000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\Pictures\ucyz2FBrS2ZmSVbb1v4MylBp.exe	Unpacked PE file: 33.2.ucyz2FBrS2ZmSVbb1v4MylBp.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Pictures\snaftQ9InX6HRaN4agnWr7Oj.exe	Unpacked PE file: 35.2.snaftQ9InX6HRaN4agnWr7Oj.exe.140000000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe	Unpacked PE file: 36.2.62yRKzzf4sPbuvaYnIB1MyY6.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Pictures\ZD1fmOCLpyrjNES6gIPEm8BD.exe	Unpacked PE file: 40.2.ZD1fmOCLpyrjNES6gIPEm8BD.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	Unpacked PE file: 41.2.EB0On5SEskIrRrycifeZdat8.exe.140000000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\Pictures\RyhY8hIGZEZNYbghQkrpaTbg.exe	Unpacked PE file: 44.2.RyhY8hIGZEZNYbghQkrpaTbg.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Unpacked PE file: 10.2.aD6tv7fY2lQHgM7IuiL9Hw1Z.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Unpacked PE file: 13.2.u5tg.0.exe.400000.0.unpack
Source: C:\Users\user\Pictures\LnpUuX1UZxpX7wm3ojkkhPdD.exe	Unpacked PE file: 18.2.LnpUuX1UZxpX7wm3ojkkhPdD.exe.400000.0.unpack
Source: C:\Users\user\Pictures\GnP27p1NAAqpGRO5fkWggl4G.exe	Unpacked PE file: 26.2.GnP27p1NAAqpGRO5fkWggl4G.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u5lo.0.exe	Unpacked PE file: 27.2.u5lo.0.exe.400000.0.unpack
Source: C:\Users\user\Pictures\aLJAULt319f3yelZ9yHcLLmp.exe	Unpacked PE file: 28.2.aLJAULt319f3yelZ9yHcLLmp.exe.400000.0.unpack
Source: C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe	Unpacked PE file: 29.2.x2VAVd7wCFKvEJ20FLblB74a.exe.400000.0.unpack
Source: C:\Users\user\Pictures\ucyz2FBrS2ZmSVbb1v4MylBp.exe	Unpacked PE file: 33.2.ucyz2FBrS2ZmSVbb1v4MylBp.exe.400000.0.unpack
Source: C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe	Unpacked PE file: 36.2.62yRKzzf4sPbuvaYnIB1MyY6.exe.400000.0.unpack
Source: C:\Users\user\Pictures\ZD1fmOCLpyrjNES6gIPEm8BD.exe	Unpacked PE file: 40.2.ZD1fmOCLpyrjNES6gIPEm8BD.exe.400000.0.unpack
Source: C:\Users\user\Pictures\RyhY8hIGZEZNYbghQkrpaTbg.exe	Unpacked PE file: 44.2.RyhY8hIGZEZNYbghQkrpaTbg.exe.400000.0.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe

13_2_00416240

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .MPRESS2

PE file contains an invalid checksum

Source: Qrn1R2YnqgbObeklXgpUkoSv.exe.5.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: RpHTCBF8eeEyMMzamuo6vUfe.exe.5.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: 2HHKIWZutF51ekTbTCJmdsQD.exe.5.dr	Static PE information: real checksum: 0x52798d should be: 0x527a82
Source: mBtSJYnuhrFLvY2MJBfJ6zCY.exe.5.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: RuyjNg2h2rPzCAYgnDzC7oDR.exe.5.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: H9FY6QTsJratO1zpWk3eILq1.exe.5.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: 6AsVyY9hcVg6BrRB3XAxmLRn.exe.5.dr	Static PE information: real checksum: 0x85ff5 should be: 0x85ffb
Source: 5IilnjrSxfPpByYnmbIawdwK.exe.5.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: TovDrAS4ZVzdikDIaBscZdIr.exe.5.dr	Static PE information: real checksum: 0x85ff5 should be: 0x85ffb
Source: CtkK9Th0aYy61u3G3eurfaVd.exe.5.dr	Static PE information: real checksum: 0x85ff5 should be: 0x85ffb
Source: OKqXvjJ6SNHOnbaRTxCrZkO1.exe.5.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: EMeQ5ybqCaVICeTV8FEwhv9X.exe.5.dr	Static PE information: real checksum: 0x52fa5e should be: 0x52fb53
Source: bzUgMjyvpHyaWTvY7ESS9DNs.exe.5.dr	Static PE information: real checksum: 0x85ff5 should be: 0x85ffb
Source: EPLdILIsM6WsgQ8tbaADcwbp.exe.5.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: dHD69e5qJhcFRsXZFXD35fUF.exe.5.dr	Static PE information: real checksum: 0x85ff5 should be: 0x85ffb
Source: jqR2QuJF62nOkasEDCKDfLZp.exe.5.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: jMOiuIuR2FEmGKaDZ419BomJ.exe.5.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: JS7F5l4X9VGfxhvIDALgQP2l.exe.5.dr	Static PE information: real checksum: 0x85ff5 should be: 0x85ffb
Source: k37bNecnFhzJYNbz2EjRPf6F.exe.5.dr	Static PE information: real checksum: 0x52f56c should be: 0x52f661
Source: E626JU8WedF91dS47oNi5eLU.exe.5.dr	Static PE information: real checksum: 0x52798d should be: 0x527a82
Source: 55U4oAfoSKfHUd9zgALXnYnz.exe.5.dr	Static PE information: real checksum: 0x52fa5e should be: 0x52fb53
Source: FYBxmkVn6yXddha66gzvyTER.exe.5.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: G05ti52FimNWGW59YzUlmrp6.exe.5.dr	Static PE information: real checksum: 0x53365c should be: 0x533751
Source: JFMKbtzEUpmtpv6BsSkbHYie.exe.5.dr	Static PE information: real checksum: 0x52a55b should be: 0x52a650
Source: gAPxIrnhSeyospIFCtyklTjE.exe.5.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: 7vhWkFWbVXTTdk4fousAZMn2.exe.5.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: PGehWkLSodA6wqRR58MqY3mA.exe.5.dr	Static PE information: real checksum: 0x85ff5 should be: 0x85ffb
Source: X9KcMA0fkXnD1jMYOYSmfmUC.exe.5.dr	Static PE information: real checksum: 0x85ff5 should be: 0x85ffb
Source: ypf7cFVwcCjj0PNuLkMGitSU.exe.5.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: BZDlDTS67jORikSmtG0MWK6M.exe.5.dr	Static PE information: real checksum: 0x85ff5 should be: 0x85ffb

PE file contains sections with non-standard names

Source: sbZAAkQuPWrpuYdmYbORf9Y6.exe.5.dr	Static PE information: section name: .MPRESS1
Source: sbZAAkQuPWrpuYdmYbORf9Y6.exe.5.dr	Static PE information: section name: .MPRESS2
Source: 4vR64vyt2Ms3IgZi0ogjOLiV.exe.5.dr	Static PE information: section name: .MPRESS1
Source: 4vR64vyt2Ms3IgZi0ogjOLiV.exe.5.dr	Static PE information: section name: .MPRESS2
Source: JHCkwUJwo6Iltf50o60nZ8hx.exe.5.dr	Static PE information: section name: .MPRESS1
Source: JHCkwUJwo6Iltf50o60nZ8hx.exe.5.dr	Static PE information: section name: .MPRESS2
Source: 3HGHvoGBRy8IwCH7TQ5oNDqr.exe.5.dr	Static PE information: section name: .MPRESS1
Source: 3HGHvoGBRy8IwCH7TQ5oNDqr.exe.5.dr	Static PE information: section name: .MPRESS2
Source: RzZ1TAV7aob3SPZILB2zbFdV.exe.5.dr	Static PE information: section name: .MPRESS1
Source: RzZ1TAV7aob3SPZILB2zbFdV.exe.5.dr	Static PE information: section name: .MPRESS2
Source: OJ7vhB3j6tgF31VZAdyq4RWP.exe.5.dr	Static PE information: section name: .MPRESS1
Source: OJ7vhB3j6tgF31VZAdyq4RWP.exe.5.dr	Static PE information: section name: .MPRESS2
Source: rtlA3jJ7xsOUFL3iCVOy5VBX.exe.5.dr	Static PE information: section name: .MPRESS1
Source: rtlA3jJ7xsOUFL3iCVOy5VBX.exe.5.dr	Static PE information: section name: .MPRESS2
Source: r55PiUKSNGOgvzmsIZLcQBwY.exe.5.dr	Static PE information: section name: .MPRESS1
Source: r55PiUKSNGOgvzmsIZLcQBwY.exe.5.dr	Static PE information: section name: .MPRESS2
Source: hoW8r777x85abjsyeaeHujqA.exe.5.dr	Static PE information: section name: .MPRESS1
Source: hoW8r777x85abjsyeaeHujqA.exe.5.dr	Static PE information: section name: .MPRESS2
Source: Pz85N0MYtRF424XKuyeCstGT.exe.5.dr	Static PE information: section name: .MPRESS1
Source: Pz85N0MYtRF424XKuyeCstGT.exe.5.dr	Static PE information: section name: .MPRESS2
Source: rHhLiL9gsoGNTac83qTQnAj1.exe.5.dr	Static PE information: section name: .MPRESS1
Source: rHhLiL9gsoGNTac83qTQnAj1.exe.5.dr	Static PE information: section name: .MPRESS2
Source: ggByZtgEK7bPtlfPMmThjScy.exe.5.dr	Static PE information: section name: .MPRESS1
Source: ggByZtgEK7bPtlfPMmThjScy.exe.5.dr	Static PE information: section name: .MPRESS2

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\74fa486WVX.exe	Code function: 0_2_00007FFD9B87B21A push eax; ret	0_2_00007FFD9B87B239
Source: C:\Users\user\Desktop\74fa486WVX.exe	Code function: 0_2_00007FFD9B95026B push esp; retf 4810h	0_2_00007FFD9B950312
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0042D355 push esi; ret	10_2_0042D35E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_00409D06 push ecx; ret	10_2_00409D19
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_004275A4 push eax; ret	10_2_004275C2
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_004097B6 push ecx; ret	10_2_004097C9
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_01A839D7 push 2B991403h; ret	10_2_01A839DE
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_01A842FC push 00000061h; retf	10_2_01A84304
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_01A83CED pushad ; retf	10_2_01A83CF4
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_01A824C8 push ecx; iretd	10_2_01A824DA
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_01A8143E pushad ; retf	10_2_01A8143F
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_01A85760 push ebp; iretd	10_2_01A85793
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_036ACB2D push esp; retf	10_2_036ACB2E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_03699A1D push ecx; ret	10_2_03699A30
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_036B780B push eax; ret	10_2_036B7829
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_03699F6D push ecx; ret	10_2_03699F80
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_036AC52F push esp; retf	10_2_036AC537
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_036B1CA2 push dword ptr [esp+ecx-75h]; iretd	10_2_036B1CA6
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_004176C5 push ecx; ret	13_2_004176D8
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6834B536 push ecx; ret	13_2_6834B549

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\R44UL53NQLGR3F7y7U28BpiH.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\zO9gad4LUylgyGPVRTWG8XxZ.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\B_ZsWiDuQ1HQu1VXW6MeJxTk.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\f57Lg9cgmr2hMVAKkSa_5EEF.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\VCXaLRhnoJXqomdTeXblGJRq.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\mznEpIhRkhM45E5OaaApcXfQ.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\vul6UV08p0GCWyLDpSq_XRJi.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\5dDTPXBIdh37AT9JvHe3v9T2.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\mxtAV4l73Uek6ZcBcswMxsWp.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\cKoRtgFSDiCuW_NV2IeUEpEE.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\gO9wCBet6czWaf0NsZO_UTnB.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\OUtbmIGo9QOLW9Uv4N_RuEES.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\jmOGnNVL64Ek76qrYZVKlVw5.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\CCN3NQ4YsQxXhtmcSRpYcrYn.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\UXEo4_JR3JVOwMMHAOLzMKdh.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\JDyfRu1CTD86cboIGUzDhQmu.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\eTZIluMEeXg0MQ7rXsqUwQJd.exe	Jump to dropped file

Drops PE files

Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\VlXwxkChbaUTvh7hyepXHnCW.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\mznEpIhRkhM45E5OaaApcXfQ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\hF86uNIlujuYkRxMrMiHYFp6.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\vul6UV08p0GCWyLDpSq_XRJi.exe	Jump to dropped file
Source: C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954341577984.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\QgjLXNBsCJHtPeO6W8lYpPOC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\mbmPnV0wgL2OU39u2KeIn4Tf.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\jMOiuIuR2FEmGKaDZ419BomJ.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Default12_bake[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\RzZ1TAV7aob3SPZILB2zbFdV.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\qemktTHoQLUy5osCZbbDQLZi.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\xvOK71VIriJJFg16EAEdNnAh.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\FJmG3iFgWaQPL74KtLfPUV2W.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\pskPlxWRb1OP2eREIs2IGshL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\EPLdILIsM6WsgQ8tbaADcwbp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\SXmHoxZqoBYkuUqiuazKgSQI.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Retailer_prog[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\6AsVyY9hcVg6BrRB3XAxmLRn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\aloOHvo84Sj3qHQOomdBVrke.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Space_bake[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\7sLhgPZrhq33DqeqjIszWnvq.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\0WJXemd5pQKDpgfnQ3uQfzFV.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\nFOnvesIq7VabzyMeGzHz4bu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\eXNDeRDst4kQrDZC4an0uq9f.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\Qrn1R2YnqgbObeklXgpUkoSv.exe	Jump to dropped file
Source: C:\Users\user\Pictures\ucyz2FBrS2ZmSVbb1v4MylBp.exe	File created: C:\Users\user\AppData\Local\Temp\u5v0.0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\I4tFSbDREJ1q4OXBPjSetAQW.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\V2AVPOVF5r22N991Qo613aDT.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\UypVRf8fuLSyPhJMoNRd8ByR.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe	File created: C:\Users\user\AppData\Local\Temp\7zS646E.tmp\Install.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\RVUKEWDdLyejr6mPwsQxUWTt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\JFMKbtzEUpmtpv6BsSkbHYie.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\ZDmJyG6Fh6EWKl8nRZuWAf5m.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\zA0fUzPmMHacDwoXN5o2PtEI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\IzOzMZjyTYZtcFM7Pm0M4cLM.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\X9KcMA0fkXnD1jMYOYSmfmUC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\h1WhTFqf2opjt0b0LNsNHwlA.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Pictures\ZD1fmOCLpyrjNES6gIPEm8BD.exe	File created: C:\Users\user\AppData\Local\Temp\u278.0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\CtkK9Th0aYy61u3G3eurfaVd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\3HGHvoGBRy8IwCH7TQ5oNDqr.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\CnlXvT9Id1OtAjjGE5TZpQef.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\FTcNwu7k57Kjd8usAclVAWLT.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\VCXaLRhnoJXqomdTeXblGJRq.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\alSkRSPtoedHGl3kbYeLvhn9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\adRQWxNrYlcHIbAlSbSqXWcC.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\5dDTPXBIdh37AT9JvHe3v9T2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\pBXyZagaHAQQrhw6oBm3PDRx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\6ukblLKwIGzTeTLtRG3BVQ4x.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\VOj2XP57pkkframg3VKI0bnJ.exe	Jump to dropped file
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954216548188.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\OJ7vhB3j6tgF31VZAdyq4RWP.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\MjKbwwhLAm6QGZvYnqmkVE2N.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\AKT0moXt1O8o3JAohyejb57d.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\OKqXvjJ6SNHOnbaRTxCrZkO1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\oBNS4h72HaE8OUAQKdDBeBC5.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\eTZIluMEeXg0MQ7rXsqUwQJd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\pnOUyTpcHaCPBGC0NY6Ey4tl.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Pictures\eXNDeRDst4kQrDZC4an0uq9f.exe	File created: C:\Users\user\AppData\Local\Temp\u5lo.0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\G05ti52FimNWGW59YzUlmrp6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\Bd2BFD74Ck0brD7odAkJnoBt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\QPODNwFSwgqyjs4xPBO8eifU.exe	Jump to dropped file
Source: C:\Users\user\Pictures\ucyz2FBrS2ZmSVbb1v4MylBp.exe	File created: C:\Users\user\AppData\Local\Temp\u5v0.1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\rHhLiL9gsoGNTac83qTQnAj1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\9WWcfdyLrpl90TvY0F1B4pln.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\WeDrjcmr3WuMJJgpzaKFaOUD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\4vR64vyt2Ms3IgZi0ogjOLiV.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\R44UL53NQLGR3F7y7U28BpiH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\H9FY6QTsJratO1zpWk3eILq1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\1xHPgdRbGIGh0nmHKOdvoVaq.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\FYBxmkVn6yXddha66gzvyTER.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\qdu8WOX4grlXQcWdeCVU0yog.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\rNvfkMS4HSyCWXTaphkAY6hw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\SpQS37CFNzVuKGQ66NuQrhJF.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\24PXKARoj7uC8IIGZm6izG3D.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\etOkHRpUuM9SMkMQ6XAH0iE7.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\timeSync[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\RyhY8hIGZEZNYbghQkrpaTbg.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\b6dZBaRARhr4L2hE5YvW9QS9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\ucyz2FBrS2ZmSVbb1v4MylBp.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\jmOGnNVL64Ek76qrYZVKlVw5.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\setup[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\SCzt3mZbZN8xo826kWPoGwRo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\V90iUuGNMllDGLhDIYAi2XpJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\sVO8CirTx1P1PYp8b2HKbfci.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\gtoLel5pI65r4ngPnlyHhEHj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\CTrPQEqq9NkquGou8e27KzGF.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\YPduThgkupN2YOpOSaJ8tGZ9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\XHgaLLVcBUd1pvULpJvyc8P4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\MJVuj1UoR1rh6VTfch6r7Z2Q.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\cad54ba5b01423b1af8ec10ab5719d97[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\mxtAV4l73Uek6ZcBcswMxsWp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\KpOMcUg7xZgdhNcAMeG69WU2.exe	Jump to dropped file
Source: C:\Users\user\Pictures\ZD1fmOCLpyrjNES6gIPEm8BD.exe	File created: C:\Users\user\AppData\Local\Temp\u278.1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\nCYFrpV4mlYXszmCzZcWov48.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe	File created: C:\Users\user\AppData\Local\Temp\7zS646E.tmp\appidpolicyconverter.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\IZNKVd1kbYfgYPSMbP2rCCcY.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\TovDrAS4ZVzdikDIaBscZdIr.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\UXEo4_JR3JVOwMMHAOLzMKdh.exe	Jump to dropped file
Source: C:\Users\user\Pictures\RyhY8hIGZEZNYbghQkrpaTbg.exe	File created: C:\Users\user\AppData\Local\Temp\u2d8.0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\HZsXoAGbQU5SkUVczYhPFgdu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\bElHT2p4mbKwAdc6T7e7obO9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\htIsZjTfZjZuBCB42w6u1DiT.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\xrRbZ93UaIlKIAwJZbwRmUAC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\AMlJjVHZqAEewXFRbgXzmomQ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\ijiJmUl37TiXc19MRa9D6Pyf.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\bzUgMjyvpHyaWTvY7ESS9DNs.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\2Do1I89wRECQJCwpROH5lsmE.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\L3lOBa8F6zHswmHocPmpzPVx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\h41311GNENEXjAgagC9IQvg1.exe	Jump to dropped file
Source: C:\Users\user\Pictures\aLJAULt319f3yelZ9yHcLLmp.exe	File created: C:\Users\user\AppData\Local\Temp\u2cs.1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\zjh0hj0NnUHk9L2TMnVQJLTW.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\eNZuh4jTt1bdaHvl1ntSilXD.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\B_ZsWiDuQ1HQu1VXW6MeJxTk.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\9QZdGUAgvWsOeyrhldqGqEJH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\snaftQ9InX6HRaN4agnWr7Oj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\jqR2QuJF62nOkasEDCKDfLZp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\GrRnDlZrJNXE160lL6oowS1v.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\l6tkmwjdUErRj2XjAOLUSPtS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\RmGMH6bPe7yrJJoAPjx4QuVn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\EMeQ5ybqCaVICeTV8FEwhv9X.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\0539f2UvFHQYMmDfLH9ZSkIn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\oUULp12GYXlzmDfya60TW4IB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\I8DoKYH21jtp8BdbZVeMJM7i.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\rules[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Pictures\GnP27p1NAAqpGRO5fkWggl4G.exe	File created: C:\Users\user\AppData\Local\Temp\u57c.1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\Pz85N0MYtRF424XKuyeCstGT.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\TQgruOoGIXZNEz8bpXbMq0nS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\pXp5egQPwPtigEhyIRDfaa6E.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\jyloIqTsPwfd1DkPDg38NoEm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\ggByZtgEK7bPtlfPMmThjScy.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\k37bNecnFhzJYNbz2EjRPf6F.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\7vhWkFWbVXTTdk4fousAZMn2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\PGehWkLSodA6wqRR58MqY3mA.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\ZD1fmOCLpyrjNES6gIPEm8BD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\ooW8x8YXbJUVFdOrFtVcRBS2.exe	Jump to dropped file
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	File created: C:\Users\user\AppData\Local\Temp\u5tg.1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\VEQ8LMeIaTugtpLzMiDcku0u.exe	Jump to dropped file
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Assistant_109.0.5097.45_Setup[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\jqS6NbkET5D7SNZCeWEWCENG.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\ayrlXxluNGxfC55JVvCrmVJC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\JS7F5l4X9VGfxhvIDALgQP2l.exe	Jump to dropped file
Source: C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Opera_109.0.5097.45_Autoupdate_x64[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\01Zkr9Pqv75RBBPAfRuOcR8W.exe	Jump to dropped file
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154301\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\jtig5U7Vd159jKkbKgnsA1kJ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe	File created: C:\Users\user\AppData\Local\Temp\u2e8.1.exe	Jump to dropped file
Source: C:\Users\user\Pictures\eXNDeRDst4kQrDZC4an0uq9f.exe	File created: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\060[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\aLJAULt319f3yelZ9yHcLLmp.exe	File created: C:\Users\user\AppData\Local\Temp\u2cs.0.exe	Jump to dropped file
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Opera_109.0.5097.45_Autoupdate_x64[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe	File created: C:\Users\user\AppData\Local\Temp\u4n4.0.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\cKoRtgFSDiCuW_NV2IeUEpEE.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\RztCbUmZBnVI5vwgknk1v9gl.exe	Jump to dropped file
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154301\additional_file0.tmp	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\mZqNoUl7rhg7VWVjaV8Vy4BF.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\r55PiUKSNGOgvzmsIZLcQBwY.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\ORwSCErwlmZJgHX8RlZwnqzW.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\hbVjMJXKMfxChI8EPArRZgag.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\ZYbPkvE7LZq1cVMPf9tyCNrQ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\hoW8r777x85abjsyeaeHujqA.exe	Jump to dropped file
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154301\opera_package	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\CnG6dLLwYA6vpF8PXyp0C2h8.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\0tJmsjsuq861nw8wVciecU0e.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\ypf7cFVwcCjj0PNuLkMGitSU.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\123p[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\dHD69e5qJhcFRsXZFXD35fUF.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\w7ux7hHqzwEHHcNpdIZHi9kH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\arSoWf1Ec1I4geYHHWR5UtYB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\jHIeGCiObkRJMFj5XmJJdsLE.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\JDyfRu1CTD86cboIGUzDhQmu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\gAPxIrnhSeyospIFCtyklTjE.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\GAzYt7CA0m8wlIqsNbXSFLHn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\eEb1TKqbCVZy7sUcB7UxVvtM.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\kNL4FzXHKA5mrztWPDWWEYhW.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe	File created: C:\Users\user\AppData\Local\Temp\7zS646E.tmp\ARP.EXE	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\5FQtA1wucts8Yrqmv9O6idz6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\7tTJzEy4dI9u65vrU8cvsIiD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\T5v8y5uHNNaBu14RKQEK9PkF.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\vOFejnruMTlhsY9VyWYBwVmV.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\kRPiGZLG56ufjAxHMDmGvftT.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\Pqxb61GGMG9M5KXBMaSXHEQD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\649FP6erIG3uUfhR0wTmAGh3.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\4p3nYystUOj2tUSsjPXXVQ54.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\y7ZbSuax0faSHVlRSXixHqe0.exe	Jump to dropped file
Source: C:\Users\user\Pictures\LnpUuX1UZxpX7wm3ojkkhPdD.exe	File created: C:\Users\user\AppData\Local\Temp\u220.0.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\OUtbmIGo9QOLW9Uv4N_RuEES.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\eOQyZOmKZuhuxvZPOmSz9XIB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\vsNuRbeEydzbcooHujxzNFkQ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\rtlA3jJ7xsOUFL3iCVOy5VBX.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\AWDjsZTWMbVQLKjK75X6Ig96.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\BZDlDTS67jORikSmtG0MWK6M.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\JaHbmxTJGIb2iDrWZTTyHXge.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\YLxl1OEtHJfohB8PRbEA6Xn4.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe	File created: C:\Users\user\AppData\Local\Temp\7zS646E.tmp\hh.exe	Jump to dropped file
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	File created: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\CW6WN5mFGU6H5K7sHvG367nH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\E626JU8WedF91dS47oNi5eLU.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\SfOYkUNot9JLY7LapPJ23zRc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\5IilnjrSxfPpByYnmbIawdwK.exe	Jump to dropped file
Source: C:\Users\user\Pictures\GnP27p1NAAqpGRO5fkWggl4G.exe	File created: C:\Users\user\AppData\Local\Temp\u57c.0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\MYxgPYtwBMLOAVSYtyBdW27o.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\gO9wCBet6czWaf0NsZO_UTnB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\aRHPnT4fdMoAto9EHowTCiai.exe	Jump to dropped file
Source: C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe	File created: C:\Users\user\AppData\Local\Temp\u4n4.1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\saOGw7GRWxI3UtHmlqck8d4L.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\zO9gad4LUylgyGPVRTWG8XxZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\mBtSJYnuhrFLvY2MJBfJ6zCY.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\55U4oAfoSKfHUd9zgALXnYnz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\JoYGPFg75QERifE5RbK9hGgW.exe	Jump to dropped file
Source: C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe	File created: C:\Users\user\AppData\Local\Temp\u2e8.0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\JHCkwUJwo6Iltf50o60nZ8hx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\nyUGUKSZmuHor89NvumnpHYu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\MudDF159gEyKHU6eFD2BtmnO.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\grabber[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\rSrR1mkcaBul2YC2PFGskQPW.exe	Jump to dropped file
Source: C:\Users\user\Pictures\LnpUuX1UZxpX7wm3ojkkhPdD.exe	File created: C:\Users\user\AppData\Local\Temp\u220.1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\RpHTCBF8eeEyMMzamuo6vUfe.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\setup294[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\f57Lg9cgmr2hMVAKkSa_5EEF.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\HpBGGaTzXG4lEftpe85oGMCk.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\RuyjNg2h2rPzCAYgnDzC7oDR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\sbZAAkQuPWrpuYdmYbORf9Y6.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\4fce60ee[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File created: C:\Users\user\Documents\SimpleAdobe\CCN3NQ4YsQxXhtmcSRpYcrYn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\vRRe41RxUVbUBnvAaNdID0sa.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\2HHKIWZutF51ekTbTCJmdsQD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\QG18GgqwuMudz8t1bQkf58tD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\r1KZ4j7DDLzJ3DZwbwpdXSKJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\zWBqjxGqSREVGD26eOWqbKie.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\aLJAULt319f3yelZ9yHcLLmp.exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe

File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154301\opera_package

Jump to dropped file

Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240420115425810.log
Source: C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240420115438068.log

Boot Survival

Drops script or batch files to the startup folder

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nhx5TTx8BWaYdt3v9Zin2ufd.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NdG5xSXEWKQu8H8iO0gXD2p1.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5nc8XYGVyOnuMthvpexBIovW.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NcKTUiU5jFdf7RJr7VZKxsgJ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RTFGXR1f6AYMAtRAYLrbBepJ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QLxQvptvIpMcDvpBNhpgcTvI.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SyxWIL4eXEgqlzJd3RLHkcJa.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gqTE0qzWFdMgkm2k2WK2aIq7.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YENFsb4lYGCijl81Q7SfaefJ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rY6E4Gs3jEGBRFaPpIs7DKgP.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PbCUU14FxUISAVQuI7nWKl5R.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zFDseCbDMOHvLXAt2pOQ5G5W.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4f5J2d20gETPmAS25L8xjXCj.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ARGlgVRlZ1nHMB1HXf6NWV86.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z64ZNBCdwZOivzI0z0oPuzAK.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F9R0fNIwTt2qPb95TsKTBSmc.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gM5rpYrK1E69YnNsMW5vDOic.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jFRSdC0NaKw2msT8rBR3VnHr.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cWtsAugWsNvwFllMg6qlK7vV.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FP8bLIflOfyG9UrrdqLDCbKa.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xcDb5xB1c13HYCYmZ5EbVv13.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nwoguMajuijJKgJdnkYe0PDX.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BiCV7UCBlJ8ytE185N81kSVr.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yAhv6uXYlmQXl2hy5ZrFO0fC.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tBJgiubYQlVusUpNViDn9cUb.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fF8sgdftNVyS7EUoMAAvIahV.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13n2VnF7KmWTzhbPEXQgT6W6.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RNr5FOyYK8K1m51GBIDLS7rK.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q7WnlqIT7fqnlhV4k6saTK0C.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f7U3BBxTfhfxHiv1EpXZR1XX.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fknIFBlnb18ls2xfhLP2kwtZ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EnMFrukEsyw89UQkJERrN7aG.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L5A5WLN6BevQJur0RFFBQadQ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3MDVq71X3FLA3LYzeG9NG9Kd.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e2dRc5Rv3nbcecgcurBUECdQ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MEhHqhTdrPU9QgqZCJ3yEdjE.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sIN5mpqtedBXFGr6StDTVG6D.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6OW96yysMxyB8gUH0ZeMPtQT.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vpDRS27mLKhb2E1QZSP6kCZQ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bFX1RNiufLA1HSLka4U7HdR7.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iczq6tkI09NTMQiyW7qC31ic.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1AurkCxOayUMVb21jI7ZR7XI.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uIS3Lx9T9YKmRwDZoVAzBqpa.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AtaA3Va5TrUk93MFn3fVMueJ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2OKtqdom8RFgzLmhpzt79HIC.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NfmSyNewWnMuVMkAZ67Hgl7o.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q7WQNR99VrMnjGcoFH5RvJi9.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JDpIf3k5qpnhTQFbTx3LkYzM.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0ubCN0EnMhpbd0TzRf4EeeM3.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kAYxMgX4i0DNjmbzeW1Je0d5.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nAlXV3CaCyCQR4uP8FCPMhlh.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\W55tu9i15Es17Eoy2h73dCN9.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8Hek4eibimeaycQo5bth630p.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rkIPYs1Us6G6obgvwSPN7AG4.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\N01X2KxqdOsokI4InlgECwtt.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5LQWMKO8XBjkNXRVdU6jIakG.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zXUuyEkERzTF7JdAdXBuDCPd.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d5pQexeoxgwIWIxDuVynECax.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7hqYOxsqNf7Ts5CjucwDnxVL.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WAOpRz6Z1DCPxrubDVTnaDOr.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8RSUg6Y4BkSQOy7rhDcj0FYJ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GFouAb2rMTeYtthloCcq3V2h.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ISzojIyuRQyHUenekXWCti0a.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uhLK6GOFpp88GYF2e0yeY7x9.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DmrOdx6P4taC1oOvw1InqwVE.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SbaVIUvJakWEgHdGYkNyn8sj.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zNL7pHlDBOAP6Pl14pX6rhwU.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6EB2umPLs7OytyPt4YYCEx0.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uEZWznN76BFdjVG2JZfdvUDw.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ueLbKqP5iyO5fxLGI0bJjhct.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iuUAFLVOfDbDW1qjb1cde2uH.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\v1wcfFPtK6WJakcRKMYN0Dym.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oM7eI5EMqLNREyqHsA1PuffZ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecCJK8Os72e8nX9U9MJ3B8rq.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gvOGF0e3ilPNACaVM9y4P3iH.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cxGWf6g7Tqujg5PVQcViCX8m.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\evfrhnV3zWcCqKtYnwtb8kN3.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gDd2TM6KvrsKu9nvBL0YvSaJ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cTmTceKcNw4zzgHGnQVCfJte.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uaJrZOfHrFFMNLAzWJiFxKpd.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oE8mMUqKndauAy47hKJzJTkG.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pmxrOKYTjHwrQDXWRAQNQ3Gl.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3vsGmETfFEdnqjREW1N0JsED.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7J02TzwsIZpMKUm4JKSlOtyX.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ln287cl5zqZUOQ09NLuGFOgv.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BqEKwKLMf8AXTw2S0d3yG0qc.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\znVSBPQNUcUccPZCsKUfpDLT.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NgDwaHUTvsayZnYhdZd2TXFE.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FmOMXeiu31wZE5UKmRsl6GaO.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QM3P3TJ8M9dp4woKHSr4IAs6.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JHMlXsYgQdfzBHXNLiHpb65s.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FWUrWxI0a9j163h8LPyxqHaE.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B30XtbNCHCpnw5qmBVmEB7zp.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JgQgO4NsZsYRypnOb6qAVCX3.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Vaxk8wtTvDbvKL8YWeTRCzTN.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qRjPfUrz75IJy1Acr8jkVWds.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZCzgcdlWkVWSOObx3iXMxTG2.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d5mrt56cnOawavbCjeU2teAU.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZWzaxr64IASc6ik5dJr4a48v.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RtyWyCd7pakzufNd6GrI3ylX.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PVlZ4JHv4nt1jE0U0j46ZvRU.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Y0dtUw2eERZhGiCfTXoItjJq.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9u9dXULeXHK15kBaj0M4uCEY.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\55R42Z89GeuBPGqfLpjlY6ZN.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmiS9J0tBJ6uJhUH23PospdU.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4sRFgaUJaJhOA9r29eA3NgAv.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AJisa0BkGOPIcervnBUl4nXu.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cktWDzHHdibILrWAe0M2Gczx.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pUHEbeo9v6qQqBvkmEWXbg3y.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qwJGV26WwyQ0GpgQHHo3Dij6.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XwRqUgvYwonTHZW8VGpqECut.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zsbpOEozKQyNrBH3GbSfkb5w.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HUhCCrZvY1BwXlWVkdBPgxLM.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d72XvSxcGC4atOkviZwZt7DK.bat	Jump to dropped file

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\Pictures\RztCbUmZBnVI5vwgknk1v9gl.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Pictures\RztCbUmZBnVI5vwgknk1v9gl.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Pictures\RztCbUmZBnVI5vwgknk1v9gl.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\Pictures\oBwm3xYVYadvvyPM22CjpgTr.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Pictures\oBwm3xYVYadvvyPM22CjpgTr.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Pictures\oBwm3xYVYadvvyPM22CjpgTr.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\Pictures\l6tkmwjdUErRj2XjAOLUSPtS.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Pictures\l6tkmwjdUErRj2XjAOLUSPtS.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Pictures\l6tkmwjdUErRj2XjAOLUSPtS.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\Pictures\VOj2XP57pkkframg3VKI0bnJ.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Pictures\VOj2XP57pkkframg3VKI0bnJ.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Pictures\VOj2XP57pkkframg3VKI0bnJ.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\Pictures\snaftQ9InX6HRaN4agnWr7Oj.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Pictures\snaftQ9InX6HRaN4agnWr7Oj.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Pictures\snaftQ9InX6HRaN4agnWr7Oj.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	Window searched: window name: RegmonClass

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nhx5TTx8BWaYdt3v9Zin2ufd.bat

Jump to behavior

Creates or modifies windows services

Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules

Stores files to the Windows start menu directory

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nhx5TTx8BWaYdt3v9Zin2ufd.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JDpIf3k5qpnhTQFbTx3LkYzM.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0ubCN0EnMhpbd0TzRf4EeeM3.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7hqYOxsqNf7Ts5CjucwDnxVL.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WAOpRz6Z1DCPxrubDVTnaDOr.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6EB2umPLs7OytyPt4YYCEx0.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uEZWznN76BFdjVG2JZfdvUDw.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uaJrZOfHrFFMNLAzWJiFxKpd.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FmOMXeiu31wZE5UKmRsl6GaO.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QM3P3TJ8M9dp4woKHSr4IAs6.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JHMlXsYgQdfzBHXNLiHpb65s.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qRjPfUrz75IJy1Acr8jkVWds.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RtyWyCd7pakzufNd6GrI3ylX.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PVlZ4JHv4nt1jE0U0j46ZvRU.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Y0dtUw2eERZhGiCfTXoItjJq.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9u9dXULeXHK15kBaj0M4uCEY.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4sRFgaUJaJhOA9r29eA3NgAv.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zsbpOEozKQyNrBH3GbSfkb5w.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XwRqUgvYwonTHZW8VGpqECut.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d72XvSxcGC4atOkviZwZt7DK.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HUhCCrZvY1BwXlWVkdBPgxLM.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iczq6tkI09NTMQiyW7qC31ic.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NfmSyNewWnMuVMkAZ67Hgl7o.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nAlXV3CaCyCQR4uP8FCPMhlh.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8Hek4eibimeaycQo5bth630p.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zXUuyEkERzTF7JdAdXBuDCPd.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5LQWMKO8XBjkNXRVdU6jIakG.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SbaVIUvJakWEgHdGYkNyn8sj.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\evfrhnV3zWcCqKtYnwtb8kN3.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cTmTceKcNw4zzgHGnQVCfJte.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gvOGF0e3ilPNACaVM9y4P3iH.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pmxrOKYTjHwrQDXWRAQNQ3Gl.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ln287cl5zqZUOQ09NLuGFOgv.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JgQgO4NsZsYRypnOb6qAVCX3.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d5mrt56cnOawavbCjeU2teAU.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmiS9J0tBJ6uJhUH23PospdU.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\55R42Z89GeuBPGqfLpjlY6ZN.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AJisa0BkGOPIcervnBUl4nXu.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cktWDzHHdibILrWAe0M2Gczx.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qwJGV26WwyQ0GpgQHHo3Dij6.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pUHEbeo9v6qQqBvkmEWXbg3y.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FP8bLIflOfyG9UrrdqLDCbKa.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tBJgiubYQlVusUpNViDn9cUb.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fknIFBlnb18ls2xfhLP2kwtZ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e2dRc5Rv3nbcecgcurBUECdQ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bFX1RNiufLA1HSLka4U7HdR7.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uIS3Lx9T9YKmRwDZoVAzBqpa.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kAYxMgX4i0DNjmbzeW1Je0d5.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d5pQexeoxgwIWIxDuVynECax.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GFouAb2rMTeYtthloCcq3V2h.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uhLK6GOFpp88GYF2e0yeY7x9.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zNL7pHlDBOAP6Pl14pX6rhwU.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iuUAFLVOfDbDW1qjb1cde2uH.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oM7eI5EMqLNREyqHsA1PuffZ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cxGWf6g7Tqujg5PVQcViCX8m.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gDd2TM6KvrsKu9nvBL0YvSaJ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3vsGmETfFEdnqjREW1N0JsED.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BqEKwKLMf8AXTw2S0d3yG0qc.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NgDwaHUTvsayZnYhdZd2TXFE.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FWUrWxI0a9j163h8LPyxqHaE.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B30XtbNCHCpnw5qmBVmEB7zp.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Vaxk8wtTvDbvKL8YWeTRCzTN.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZCzgcdlWkVWSOObx3iXMxTG2.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZWzaxr64IASc6ik5dJr4a48v.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SyxWIL4eXEgqlzJd3RLHkcJa.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YENFsb4lYGCijl81Q7SfaefJ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rY6E4Gs3jEGBRFaPpIs7DKgP.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zFDseCbDMOHvLXAt2pOQ5G5W.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ARGlgVRlZ1nHMB1HXf6NWV86.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F9R0fNIwTt2qPb95TsKTBSmc.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jFRSdC0NaKw2msT8rBR3VnHr.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xcDb5xB1c13HYCYmZ5EbVv13.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BiCV7UCBlJ8ytE185N81kSVr.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fF8sgdftNVyS7EUoMAAvIahV.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RNr5FOyYK8K1m51GBIDLS7rK.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f7U3BBxTfhfxHiv1EpXZR1XX.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L5A5WLN6BevQJur0RFFBQadQ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MEhHqhTdrPU9QgqZCJ3yEdjE.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sIN5mpqtedBXFGr6StDTVG6D.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vpDRS27mLKhb2E1QZSP6kCZQ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1AurkCxOayUMVb21jI7ZR7XI.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AtaA3Va5TrUk93MFn3fVMueJ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2OKtqdom8RFgzLmhpzt79HIC.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q7WQNR99VrMnjGcoFH5RvJi9.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\W55tu9i15Es17Eoy2h73dCN9.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rkIPYs1Us6G6obgvwSPN7AG4.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\N01X2KxqdOsokI4InlgECwtt.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8RSUg6Y4BkSQOy7rhDcj0FYJ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ISzojIyuRQyHUenekXWCti0a.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DmrOdx6P4taC1oOvw1InqwVE.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ueLbKqP5iyO5fxLGI0bJjhct.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\v1wcfFPtK6WJakcRKMYN0Dym.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ecCJK8Os72e8nX9U9MJ3B8rq.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oE8mMUqKndauAy47hKJzJTkG.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7J02TzwsIZpMKUm4JKSlOtyX.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\znVSBPQNUcUccPZCsKUfpDLT.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NdG5xSXEWKQu8H8iO0gXD2p1.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5nc8XYGVyOnuMthvpexBIovW.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NcKTUiU5jFdf7RJr7VZKxsgJ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RTFGXR1f6AYMAtRAYLrbBepJ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QLxQvptvIpMcDvpBNhpgcTvI.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gqTE0qzWFdMgkm2k2WK2aIq7.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PbCUU14FxUISAVQuI7nWKl5R.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4f5J2d20gETPmAS25L8xjXCj.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z64ZNBCdwZOivzI0z0oPuzAK.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gM5rpYrK1E69YnNsMW5vDOic.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cWtsAugWsNvwFllMg6qlK7vV.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nwoguMajuijJKgJdnkYe0PDX.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yAhv6uXYlmQXl2hy5ZrFO0fC.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13n2VnF7KmWTzhbPEXQgT6W6.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q7WnlqIT7fqnlhV4k6saTK0C.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EnMFrukEsyw89UQkJERrN7aG.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3MDVq71X3FLA3LYzeG9NG9Kd.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6OW96yysMxyB8gUH0ZeMPtQT.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZNl1hGnM7Ck5qnGG4Lqedvfc.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fBWegOFosJ3pP9m8YXnI1rn3.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qkqtATvodwaitOmISTJIvmcA.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gEZABo9syj5GDbPAeoHZCpmq.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fKRA0ZBperXNlcylBqDbDN0p.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\21nHUWOteT2KapomJmHyvw9z.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HXR4OVEG2yDKAj2k5Dt5mipQ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\y77D8WyjrBPD491vFsSECZ7c.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FbCHe2uZ9ekV1INKkX0Rtkma.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tlAzq4sezmwr6pvnPn4xiToR.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FnYbG0Za6tyKgzL1Rbj8UtR0.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NRaZnpQRZ6jCKqPrTbTAzg2l.bat	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe

10_2_00408761

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Stores large binary data to the registry

Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob

Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\eXNDeRDst4kQrDZC4an0uq9f.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\LnpUuX1UZxpX7wm3ojkkhPdD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\0Q5dKppSpEUoGQyfKKa0z3T3.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Pictures\0Q5dKppSpEUoGQyfKKa0z3T3.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\0Q5dKppSpEUoGQyfKKa0z3T3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\0Q5dKppSpEUoGQyfKKa0z3T3.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\BqrcKabb3rjHWiGgZhhaSqKx.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Pictures\BqrcKabb3rjHWiGgZhhaSqKx.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\BqrcKabb3rjHWiGgZhhaSqKx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\BqrcKabb3rjHWiGgZhhaSqKx.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\GnP27p1NAAqpGRO5fkWggl4G.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\aLJAULt319f3yelZ9yHcLLmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\ucyz2FBrS2ZmSVbb1v4MylBp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\ZD1fmOCLpyrjNES6gIPEm8BD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\pBXyZagaHAQQrhw6oBm3PDRx.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Pictures\pBXyZagaHAQQrhw6oBm3PDRx.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\pBXyZagaHAQQrhw6oBm3PDRx.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\pBXyZagaHAQQrhw6oBm3PDRx.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\RyhY8hIGZEZNYbghQkrpaTbg.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: 74fa486WVX.exe PID: 6560, type: MEMORYSTR

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\Pictures\RztCbUmZBnVI5vwgknk1v9gl.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\Pictures\oBwm3xYVYadvvyPM22CjpgTr.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\Pictures\l6tkmwjdUErRj2XjAOLUSPtS.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\Pictures\VOj2XP57pkkframg3VKI0bnJ.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\Pictures\snaftQ9InX6HRaN4agnWr7Oj.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\Pictures\RztCbUmZBnVI5vwgknk1v9gl.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\Pictures\oBwm3xYVYadvvyPM22CjpgTr.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\Pictures\l6tkmwjdUErRj2XjAOLUSPtS.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\Pictures\VOj2XP57pkkframg3VKI0bnJ.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\Pictures\snaftQ9InX6HRaN4agnWr7Oj.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 74fa486WVX.exe, 00000000.00000002.2151703138.00000220285DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: 74fa486WVX.exe, 00000000.00000002.2151703138.00000220285DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\74fa486WVX.exe	Memory allocated: 22026AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Memory allocated: 220405A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 3090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 3310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 3090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 7C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 6F70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 9CC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: ACC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: C270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: D4F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: E4F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: F4F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 10C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 11C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 13C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 15C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 1E500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 1F500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 20190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 21590000 memory reserve \| memory write watch	Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599871	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599762	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599653	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599507	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599314	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599180	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598388	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598170	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598058	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597488	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597364	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596540	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596409	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Thread delayed: delay time: 300000

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6144	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3566	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Window / User API: threadDelayed 5316	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Window / User API: threadDelayed 4355	Jump to behavior
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Window / User API: threadDelayed 899
Source: C:\Users\user\AppData\Local\Temp\u220.0.exe	Window / User API: threadDelayed 390

Found decision node followed by non-executed suspicious APIs

Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\zjh0hj0NnUHk9L2TMnVQJLTW.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS646E.tmp\ARP.EXE	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\G05ti52FimNWGW59YzUlmrp6.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\B_ZsWiDuQ1HQu1VXW6MeJxTk.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\mznEpIhRkhM45E5OaaApcXfQ.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\vul6UV08p0GCWyLDpSq_XRJi.exe	Jump to dropped file
Source: C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954341577984.dll	Jump to dropped file
Source: C:\Users\user\Pictures\ucyz2FBrS2ZmSVbb1v4MylBp.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u5v0.1.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\OUtbmIGo9QOLW9Uv4N_RuEES.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Default12_bake[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\EMeQ5ybqCaVICeTV8FEwhv9X.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\I8DoKYH21jtp8BdbZVeMJM7i.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\rules[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\xvOK71VIriJJFg16EAEdNnAh.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Pictures\GnP27p1NAAqpGRO5fkWggl4G.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u57c.1.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\R44UL53NQLGR3F7y7U28BpiH.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS646E.tmp\hh.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Retailer_prog[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\SXmHoxZqoBYkuUqiuazKgSQI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\aloOHvo84Sj3qHQOomdBVrke.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\E626JU8WedF91dS47oNi5eLU.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Space_bake[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\timeSync[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\k37bNecnFhzJYNbz2EjRPf6F.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\gO9wCBet6czWaf0NsZO_UTnB.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\jmOGnNVL64Ek76qrYZVKlVw5.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\setup[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u5tg.1.exe	Jump to dropped file
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Assistant_109.0.5097.45_Setup[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\ayrlXxluNGxfC55JVvCrmVJC.exe	Jump to dropped file
Source: C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u4n4.1.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\zO9gad4LUylgyGPVRTWG8XxZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\saOGw7GRWxI3UtHmlqck8d4L.exe	Jump to dropped file
Source: C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Opera_109.0.5097.45_Autoupdate_x64[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154301\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe (copy)	Jump to dropped file
Source: C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u2e8.1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Pictures\eXNDeRDst4kQrDZC4an0uq9f.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\060[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS646E.tmp\Install.exe	Jump to dropped file
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Opera_109.0.5097.45_Autoupdate_x64[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\JFMKbtzEUpmtpv6BsSkbHYie.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\cad54ba5b01423b1af8ec10ab5719d97[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\mxtAV4l73Uek6ZcBcswMxsWp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\KpOMcUg7xZgdhNcAMeG69WU2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\zA0fUzPmMHacDwoXN5o2PtEI.exe	Jump to dropped file
Source: C:\Users\user\Pictures\ZD1fmOCLpyrjNES6gIPEm8BD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u278.1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\55U4oAfoSKfHUd9zgALXnYnz.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\cKoRtgFSDiCuW_NV2IeUEpEE.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS646E.tmp\appidpolicyconverter.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\nCYFrpV4mlYXszmCzZcWov48.exe	Jump to dropped file
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154301\additional_file0.tmp	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\UXEo4_JR3JVOwMMHAOLzMKdh.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\grabber[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\htIsZjTfZjZuBCB42w6u1DiT.exe	Jump to dropped file
Source: C:\Users\user\Pictures\LnpUuX1UZxpX7wm3ojkkhPdD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u220.1.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\setup294[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154301\opera_package	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\f57Lg9cgmr2hMVAKkSa_5EEF.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\VCXaLRhnoJXqomdTeXblGJRq.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\5dDTPXBIdh37AT9JvHe3v9T2.exe	Jump to dropped file
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954216548188.dll	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\123p[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\jHIeGCiObkRJMFj5XmJJdsLE.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\4fce60ee[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\CCN3NQ4YsQxXhtmcSRpYcrYn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\vRRe41RxUVbUBnvAaNdID0sa.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\2HHKIWZutF51ekTbTCJmdsQD.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\JDyfRu1CTD86cboIGUzDhQmu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\oBNS4h72HaE8OUAQKdDBeBC5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\eEb1TKqbCVZy7sUcB7UxVvtM.exe	Jump to dropped file
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\eTZIluMEeXg0MQ7rXsqUwQJd.exe	Jump to dropped file
Source: C:\Users\user\Pictures\aLJAULt319f3yelZ9yHcLLmp.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u2cs.1.exe	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	API coverage: 8.4 %
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	API coverage: 8.6 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7328	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -21213755684765971s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7396	Thread sleep count: 5316 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -599871s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7396	Thread sleep count: 4355 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7188	Thread sleep time: -1500000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -599762s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -599653s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -599507s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -599314s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -599180s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -599063s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -598938s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -598813s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -598688s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -598563s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -598388s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -598281s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -598170s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -598058s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -597938s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -597828s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -597719s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -597610s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -597488s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -597364s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -597235s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -597125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -597016s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -596891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -596766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -596656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -596540s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -596409s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -596296s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -596188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -596078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -595969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -595860s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -595735s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7352	Thread sleep time: -595625s >= -30000s	Jump to behavior
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe TID: 8132	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe TID: 7744	Thread sleep count: 899 > 30
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe TID: 7744	Thread sleep time: -179800s >= -30000s
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe TID: 7792	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\u5lo.0.exe TID: 6380	Thread sleep count: 248 > 30
Source: C:\Users\user\AppData\Local\Temp\u5lo.0.exe TID: 6380	Thread sleep time: -1488000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\u220.0.exe TID: 6296	Thread sleep count: 390 > 30
Source: C:\Users\user\AppData\Local\Temp\u220.0.exe TID: 6296	Thread sleep time: -2340000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\74fa486WVX.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation
Source: C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	13_2_00412570
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	13_2_0040D1C0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	13_2_004015C0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	13_2_00411650
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	13_2_0040B610
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	13_2_0040DB60
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	13_2_00411B80
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	13_2_0040D540
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	13_2_004121F0

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe

Code function: 13_2_00401120 GetSystemInfo,ExitProcess,

13_2_00401120

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599871	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599762	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599653	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599507	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599314	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599180	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598388	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598170	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598058	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597488	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597364	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596540	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596409	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Thread delayed: delay time: 300000

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

Source: RztCbUmZBnVI5vwgknk1v9gl.exe, 00000017.00000002.1886660867.00000000004FC000.00000004.00000020.00020000.00000000.sdmp, oBwm3xYVYadvvyPM22CjpgTr.exe, 00000018.00000002.1936631045.000000000046C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004419000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Server
Source: 74fa486WVX.exe, 00000000.00000002.2151703138.00000220285DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004419000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Datacenter without Hyper-V Core
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004419000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QEMU_HARDU
Source: svchost.exe, 00000010.00000003.1755240344.00000239DF044000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004419000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Standard without Hyper-V Full
Source: 74fa486WVX.exe, 00000000.00000002.2151703138.00000220285DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004419000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Enterprise without Hyper-V Core
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C73000.00000004.00000020.00020000.00000000.sdmp, u5lo.0.exe, 0000001B.00000002.2700544037.0000000001DA4000.00000004.00000020.00020000.00000000.sdmp, u5lo.0.exe, 0000001B.00000002.2700544037.0000000001DEF000.00000004.00000020.00020000.00000000.sdmp, x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000002.2409789476.0000000001C69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 74fa486WVX.exe, 00000000.00000002.2151703138.00000220285DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: 74fa486WVX.exe, 00000000.00000002.2151703138.00000220285DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004419000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMWARE_VIRTUAL
Source: 74fa486WVX.exe, 00000000.00000002.2151703138.00000220285DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: 74fa486WVX.exe, 00000000.00000002.2151703138.00000220285DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: u5tg.0.exe, 0000000D.00000002.2470929452.0000000001BFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwaren
Source: jsc.exe, 00000005.00000002.2486782227.0000000001655000.00000004.00000020.00020000.00000000.sdmp, aD6tv7fY2lQHgM7IuiL9Hw1Z.exe, 0000000A.00000003.2116998473.0000000001B3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: x2VAVd7wCFKvEJ20FLblB74a.exe, 0000001D.00000002.2466250043.0000000003830000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW[.g.
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004419000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6without Hyper-V for Windows Essential Server Solutions
Source: 74fa486WVX.exe, 00000000.00000002.2151703138.00000220285DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: 74fa486WVX.exe, 00000000.00000002.2151703138.00000220285DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: 74fa486WVX.exe, 00000000.00000002.2151703138.00000220285DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: 74fa486WVX.exe, 00000000.00000002.2151703138.00000220285DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: 9cQOeDxBBzNL5s3WiYLdFtQh.exe, 0000000C.00000003.1847485407.00000000047FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ummBLURRRdyRAIz=SSG xw ziJMKylBQjj rqgvvNhANawnpPyOEszKceZbMcijpIMPLVNkcKeTOxRnMLWKeFfirxWBbM GRirNHnzbxFjQSxdfDXVJcqhjAkGtsILZdCAKsHPkgbhQwDtPRkEsIu eocIuEquxacsrKpQqFmqiQmpbNuHnI lHYrLaXhlH JaWvGIVmDSaCCNxlG EekIqxNn MOwYgDgwKIAXPcdnwBSMh riVazwkyPdInguzNgpOATkKMQQtkbHMImMAEYCkhqAurdsHhQEMUOs;
Source: LnpUuX1UZxpX7wm3ojkkhPdD.exe, 00000012.00000002.2588799253.0000000003817000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWQ
Source: u5lo.0.exe, 0000001B.00000002.2691208486.0000000001D7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: svchost.exe, 0000000F.00000002.2069061625.0000020C91202000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000002.2525303834.0000000001BB9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllH
Source: 74fa486WVX.exe, 00000000.00000002.2151703138.00000220285DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004419000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Standard without Hyper-V Core
Source: 74fa486WVX.exe, 00000000.00000002.2151703138.00000220285DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004419000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Datacenter without Hyper-V Full
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004419000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Enterprise without Hyper-V Full

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe

System information queried: ModuleInformation

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Pictures\RztCbUmZBnVI5vwgknk1v9gl.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Pictures\oBwm3xYVYadvvyPM22CjpgTr.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Pictures\l6tkmwjdUErRj2XjAOLUSPtS.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Pictures\VOj2XP57pkkframg3VKI0bnJ.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Pictures\snaftQ9InX6HRaN4agnWr7Oj.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\74fa486WVX.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Pictures\RztCbUmZBnVI5vwgknk1v9gl.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\RztCbUmZBnVI5vwgknk1v9gl.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\RztCbUmZBnVI5vwgknk1v9gl.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Pictures\oBwm3xYVYadvvyPM22CjpgTr.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\oBwm3xYVYadvvyPM22CjpgTr.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\oBwm3xYVYadvvyPM22CjpgTr.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Pictures\l6tkmwjdUErRj2XjAOLUSPtS.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\l6tkmwjdUErRj2XjAOLUSPtS.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\l6tkmwjdUErRj2XjAOLUSPtS.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Pictures\VOj2XP57pkkframg3VKI0bnJ.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\VOj2XP57pkkframg3VKI0bnJ.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\VOj2XP57pkkframg3VKI0bnJ.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Pictures\snaftQ9InX6HRaN4agnWr7Oj.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\snaftQ9InX6HRaN4agnWr7Oj.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\snaftQ9InX6HRaN4agnWr7Oj.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe	Process queried: DebugPort

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe

13_2_00404540

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe

Code function: 10_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

10_2_00409A73

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe

13_2_00416240

Contains functionality to read the PEB

Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_004139E7 mov eax, dword ptr fs:[00000030h]	10_2_004139E7
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_01A7F41B push dword ptr fs:[00000030h]	10_2_01A7F41B
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0369092B mov eax, dword ptr fs:[00000030h]	10_2_0369092B
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_03690D90 mov eax, dword ptr fs:[00000030h]	10_2_03690D90
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_036A3C4E mov eax, dword ptr fs:[00000030h]	10_2_036A3C4E
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_00415DC0 mov eax, dword ptr fs:[00000030h]	13_2_00415DC0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe

Code function: 10_2_00420C1A GetProcessHeap,

10_2_00420C1A

Enables debug privileges

Source: C:\Users\user\Desktop\74fa486WVX.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00409A73
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_00409C06 SetUnhandledExceptionFilter,	10_2_00409C06
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_00409EBE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00409EBE
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0041073B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_0041073B
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_0369A125 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_0369A125
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_036A09A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_036A09A2
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_03699E6D SetUnhandledExceptionFilter,	10_2_03699E6D
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: 10_2_03699CDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_03699CDA
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_00419DC7 SetUnhandledExceptionFilter,	13_2_00419DC7
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_00417B4E
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_004173DD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_004173DD
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6834B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_6834B1F7
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: 13_2_6834B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_6834B66C

Source: C:\Users\user\Desktop\74fa486WVX.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\74fa486WVX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\74fa486WVX.exe" -Force
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\74fa486WVX.exe" -Force			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\74fa486WVX.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000 protect: page execute and read and write

Jump to behavior

Disables Windows Defender (deletes autostart)

Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	NtQuerySystemInformation: Indirect: 0x1405B5929
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	NtQueryInformationProcess: Indirect: 0x14063B4CB
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	NtQueryInformationProcess: Indirect: 0x14063B33A
Source: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe	NtSetInformationThread: Indirect: 0x14063D4B0

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\74fa486WVX.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\74fa486WVX.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base address: 400000	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base address: 400000	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base address: 400000	Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe

Code function: 13_2_00415D00 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

13_2_00415D00

Writes to foreign memory regions

Source: C:\Users\user\Desktop\74fa486WVX.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 404000	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 406000	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 11E3008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\74fa486WVX.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\74fa486WVX.exe" -Force	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\74fa486WVX.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe "C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe "C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\RztCbUmZBnVI5vwgknk1v9gl.exe "C:\Users\user\Pictures\RztCbUmZBnVI5vwgknk1v9gl.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\oBwm3xYVYadvvyPM22CjpgTr.exe "C:\Users\user\Pictures\oBwm3xYVYadvvyPM22CjpgTr.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\GnP27p1NAAqpGRO5fkWggl4G.exe "C:\Users\user\Pictures\GnP27p1NAAqpGRO5fkWggl4G.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\aLJAULt319f3yelZ9yHcLLmp.exe "C:\Users\user\Pictures\aLJAULt319f3yelZ9yHcLLmp.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe "C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\l6tkmwjdUErRj2XjAOLUSPtS.exe "C:\Users\user\Pictures\l6tkmwjdUErRj2XjAOLUSPtS.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\VOj2XP57pkkframg3VKI0bnJ.exe "C:\Users\user\Pictures\VOj2XP57pkkframg3VKI0bnJ.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\ucyz2FBrS2ZmSVbb1v4MylBp.exe "C:\Users\user\Pictures\ucyz2FBrS2ZmSVbb1v4MylBp.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe "C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe" --silent --allusers=0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\snaftQ9InX6HRaN4agnWr7Oj.exe "C:\Users\user\Pictures\snaftQ9InX6HRaN4agnWr7Oj.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe "C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe "C:\Users\user\Pictures\DbyQ6xoUIVFK3HkjBf1oW5kz.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\ZD1fmOCLpyrjNES6gIPEm8BD.exe "C:\Users\user\Pictures\ZD1fmOCLpyrjNES6gIPEm8BD.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe "C:\Users\user\Pictures\EB0On5SEskIrRrycifeZdat8.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\pBXyZagaHAQQrhw6oBm3PDRx.exe "C:\Users\user\Pictures\pBXyZagaHAQQrhw6oBm3PDRx.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe "C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe" --silent --allusers=0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\RyhY8hIGZEZNYbghQkrpaTbg.exe "C:\Users\user\Pictures\RyhY8hIGZEZNYbghQkrpaTbg.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe "C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 468 -p 6560 -ip 6560
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6560 -s 1104
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Process created: C:\Users\user\AppData\Local\Temp\u5tg.0.exe "C:\Users\user\AppData\Local\Temp\u5tg.0.exe"
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\eXNDeRDst4kQrDZC4an0uq9f.exe	Process created: C:\Users\user\AppData\Local\Temp\u5lo.0.exe "C:\Users\user\AppData\Local\Temp\u5lo.0.exe"
Source: C:\Users\user\Pictures\LnpUuX1UZxpX7wm3ojkkhPdD.exe	Process created: C:\Users\user\AppData\Local\Temp\u220.0.exe "C:\Users\user\AppData\Local\Temp\u220.0.exe"
Source: C:\Users\user\Pictures\LnpUuX1UZxpX7wm3ojkkhPdD.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\GnP27p1NAAqpGRO5fkWggl4G.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\GnP27p1NAAqpGRO5fkWggl4G.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\aLJAULt319f3yelZ9yHcLLmp.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\aLJAULt319f3yelZ9yHcLLmp.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\x2VAVd7wCFKvEJ20FLblB74a.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\ucyz2FBrS2ZmSVbb1v4MylBp.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\ucyz2FBrS2ZmSVbb1v4MylBp.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\62yRKzzf4sPbuvaYnIB1MyY6.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\ZD1fmOCLpyrjNES6gIPEm8BD.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\ZD1fmOCLpyrjNES6gIPEm8BD.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\hF86uNIlujuYkRxMrMiHYFp6.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\RyhY8hIGZEZNYbghQkrpaTbg.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\RyhY8hIGZEZNYbghQkrpaTbg.exe	Process created: unknown unknown

Source: LnpUuX1UZxpX7wm3ojkkhPdD.exe, 00000012.00000003.1983329590.0000000004568000.00000004.00000020.00020000.00000000.sdmp, GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.1975964072.0000000004434000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004419000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TrayNotifyWndShell_TrayWnd
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004419000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndtooltips_class32SVWU
Source: GnP27p1NAAqpGRO5fkWggl4G.exe, 0000001A.00000003.2045418362.0000000004419000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndtooltips_class32S

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe

Code function: 10_2_00409D1B cpuid

10_2_00409D1B

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	10_2_00420063
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: GetLocaleInfoW,	10_2_004208CE
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: EnumSystemLocalesW,	10_2_004170F1
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	10_2_0042099B
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: EnumSystemLocalesW,	10_2_004202DB
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: EnumSystemLocalesW,	10_2_00420326
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: EnumSystemLocalesW,	10_2_004203C1
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	10_2_0042044E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: GetLocaleInfoW,	10_2_004174E4
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: GetLocaleInfoW,	10_2_0042069E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	10_2_004207C7
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: EnumSystemLocalesW,	10_2_036A7358
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: GetLocaleInfoW,	10_2_036B0B35
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	10_2_036B0A2E
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	10_2_036B02CA
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: GetLocaleInfoW,	10_2_036B0903
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: GetLocaleInfoW,	10_2_036B0905
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: GetLocaleInfoW,	10_2_036A774B
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: EnumSystemLocalesW,	10_2_036B0628
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: EnumSystemLocalesW,	10_2_036B0542
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: EnumSystemLocalesW,	10_2_036B058D
Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	10_2_036B0C02
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	13_2_00414570

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\74fa486WVX.exe	Queries volume information: C:\Users\user\Desktop\74fa486WVX.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\u5lo.0.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\u220.0.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Pictures\aD6tv7fY2lQHgM7IuiL9Hw1Z.exe

Code function: 10_2_0040996D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

10_2_0040996D

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe

Code function: 13_2_004143C0 GetProcessHeap,HeapAlloc,GetUserNameA,

13_2_004143C0

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe

Code function: 13_2_004144B0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

13_2_004144B0

Source: C:\Users\user\Desktop\74fa486WVX.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender real time protection (registry)

Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{8F29E178-9661-4084-8511-EE37C01FCDBF}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions	Registry value created: Exclusions_Extensions 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{8F29E178-9661-4084-8511-EE37C01FCDBF}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableAntiSpyware 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{8F29E178-9661-4084-8511-EE37C01FCDBF}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableRoutinelyTakingAction 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{8F29E178-9661-4084-8511-EE37C01FCDBF}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableBehaviorMonitoring 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{8F29E178-9661-4084-8511-EE37C01FCDBF}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableOnAccessProtection 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{8F29E178-9661-4084-8511-EE37C01FCDBF}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableScanOnRealtimeEnable 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{8F29E178-9661-4084-8511-EE37C01FCDBF}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{8F29E178-9661-4084-8511-EE37C01FCDBF}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{8F29E178-9661-4084-8511-EE37C01FCDBF}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRawWriteNotification 1

Disables UAC (registry)

Source: C:\Users\user\Desktop\74fa486WVX.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Jump to behavior

Exclude list of file types from scheduled, custom, and real-time scanning

Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe

Registry value created: Exclusions_Extensions 1

Modifies Group Policy settings

Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe

File written: C:\Windows\System32\GroupPolicy\gpt.ini

Adds / modifies Windows certificates

Source: C:\Users\user\Pictures\VlXwxkChbaUTvh7hyepXHnCW.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Pictures\9cQOeDxBBzNL5s3WiYLdFtQh.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Mars stealer

Source: Yara match	File source: 27.2.u5lo.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.u5lo.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.u5tg.0.exe.3590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.u5lo.0.exe.1ba0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.u5tg.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.u5lo.0.exe.1bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.u5lo.0.exe.1bd0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.u5tg.0.exe.1bb0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.u220.0.exe.35c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.u5tg.0.exe.3590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.u5lo.0.exe.1ba0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.u220.0.exe.35c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.u5tg.0.exe.1bb0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.u5tg.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000003.1746772797.0000000003590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1889376133.00000000035C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2640607262.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1875392962.0000000001BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2470863926.0000000001BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2628808333.0000000000400000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2456883549.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match

File source: C:\Users\user\Documents\SimpleAdobe\CCN3NQ4YsQxXhtmcSRpYcrYn.exe, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 0000000D.00000002.2473396131.0000000001C24000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2700544037.0000000001DA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u5tg.0.exe PID: 8080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: u5lo.0.exe PID: 6604, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 27.2.u5lo.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.u5lo.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.u5tg.0.exe.3590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.u5lo.0.exe.1ba0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.u5tg.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.u5lo.0.exe.1bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.u5lo.0.exe.1bd0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.u5tg.0.exe.1bb0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.u220.0.exe.35c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.u5tg.0.exe.3590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.u5lo.0.exe.1ba0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.u220.0.exe.35c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.u5tg.0.exe.1bb0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.u5tg.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000003.1746772797.0000000003590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1889376133.00000000035C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2640607262.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1875392962.0000000001BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2470863926.0000000001BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2628808333.0000000000400000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2456883549.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u5tg.0.exe PID: 8080, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match

File source: C:\Users\user\Documents\SimpleAdobe\CCN3NQ4YsQxXhtmcSRpYcrYn.exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5tg.0.exe, 0000000D.00000002.2473396131.0000000001C56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MetaMask\|djclckkglechooblngghdinmeemkbgci\|1\|0\|0\|MetaMask\|ejbalbakoplchlghecdalmeeeajnimhm\|1\|0\|0\|MetaMask\|nkbihfbeogaeaoehlefnkodbefgpgknn\|1\|0\|0\|TronLink\|ibnejdfjmmkpcnlpebklmnkoeoihofec\|1\|0\|0\|Binance Wallet\|fhbohimaelbohpjbbldcngcnapndodjp\|1\|0\|0\|Yoroi\|ffnbelfdoeiohenkjibnmadjiehjhajb\|1\|0\|0\|Coinbase Wallet extension\|hnfanknocfeofbddgcijnmhnfnkdnaad\|1\|0\|1\|Guarda\|hpglfhgfnhbgpjdenjgmdgoeiappafln\|1\|0\|0\|Jaxx Liberty\|cjelfplplebdjjenllpjcblmjkfcffne\|1\|0\|0\|iWallet\|kncchdigobghenbbaddojjnnaogfppfj\|1\|0\|0\|MEW CX\|nlbmnnijcnlegkjjpcfjclmcfggfefdm\|1\|0\|0\|GuildWallet\|nanjmdknhkinifnkgdcggcfnhdaammmj\|1\|0\|0\|Ronin Wallet\|fnjhmkhhmkbjkkabndcnnogagogbneec\|1\|0\|0\|NeoLine\|cphhlgmgameodnhkjdmkpanlelnlohao\|1\|0\|0\|CLV Wallet\|nhnkbkgjikgcigadomkphalanndcapjk\|1\|0\|0\|Liquality Wallet\|kpfopkelmapcoipemfendmdcghnegimn\|1\|0\|0\|Terra Station Wallet\|aiifbnbfobpmeekipheeijimdpnlpgpp\|1\|0\|0\|Keplr\|dmkamcknogkgcdfhhbddcghachkejeap\|1\|0\|0\|Sollet\|fhmfendgdocmcbmfikdcogofphimnkno\|1\|0\|0\|Auro Wallet(Mina Protocol)\|cnmamaachppnkjgnildpdmkaakejnhae\|1\|0\|0\|Polymesh Wallet\|jojhfeoedkpkglbfimdfabpdfjaoolaf\|1\|0\|0\|ICONex\|flpiciilemghbmfalicajoolhkkenfel\|1\|0\|0\|Coin98 Wallet\|aeachknmefphepccionboohckonoeemg\|1\|0\|0\|EVER Wallet\|cgeeodpfagjceefieflmdfphplkenlfk\|1\|0\|0\|KardiaChain Wallet\|pdadjkfkgcafgbceimcpbkalnfnepbnk\|1\|0\|0\|Rabby\|acmacodkjbdgmoleebolmdjonilkdbch\|1\|0\|0\|Phantom\|bfnaelmomeimhlpmgjnjophhpkkoljpa\|1\|0\|0\|Brave Wallet\|odbfpeeihdkbihmopkbjmoonfanlbfcl\|1\|0\|0\|Oxygen\|fhilaheimglignddkjgofkcbgekhenbh\|1\|0\|0\|Pali Wallet\|mgffkfbidihjpoaomajlbgchddlicgpn\|1\|0\|0\|BOLT X\|aodkkagnadcbobfpggfnjeongemjbjca\|1\|0\|0\|XDEFI Wallet\|hmeobnfnfcmdkdcmlblgagmfpfboieaf\|1\|0\|0\|Nami\|lpfcbjknijpeeillifnkikgncikgfhdo\|1\|0\|0\|Maiar DeFi Wallet\|dngmlblcodfobpdpecaadgfbcggfjfnm\|1\|0\|0\|Keeper Wallet\|lpilbniiabackdjcionkobglmddfbcjo\|1\|0\|0\|Solflare Wallet\|bhhhlbepdkbapadjdnnojkbgioiodbic\|1\|0\|0\|Cyano Wallet\|dkdedlpgdmmkkfjabffeganieamfklkm\|1\|0\|0\|KHC\|hcflpincpppdclinealmandijcmnkbgn\|1\|0\|0\|TezBox\|mnfifefkajgofkcjkemidiaecocnkjeh\|1\|0\|0\|Temple\|ookjlbkiijinhpmnjffcofjonbfbgaoc\|1\|0\|0\|Goby\|jnkelfanjkeadonecabehalmbgpfodjm\|1\|0\|0\|Ronin Wallet\|kjmoohlgokccodicjjfebfomlbljgfhk\|1\|0\|0\|Byone\|nlgbhdfgdhgbiamfdfmbikcdghidoadd\|1\|0\|0\|OneKey\|jnmbobjmhlngoefaiojfljckilhhlhcj\|1\|0\|0\|DAppPlay\|lodccjjbdhfakaekdiahmedfbieldgik\|1\|0\|0\|SteemKeychain\|jhgnbkkipaallpehbohjmkbjofjdmeid\|1\|0\|0\|Braavos Wallet\|jnlgamecbpmbajjfhmmmlhejkemejdma\|1\|0\|0\|Enkrypt\|kkpllkodjeloidieedojogacfhpaihoh\|1\|1\|1\|OKX Wallet\|mcohilncbfahbmgdjkbpemcciiolgcge\|1\|0\|0\|Sender Wallet\|epapihdplajcdnnkdeiahlgigofloibg\|1\|0\|0\|Hashpack\|gjagmgiddbbciopjhllkdnddhcglnemk\|1\|0\|0\|Eternl\|kmhcihpebfmpgmihbkipmjlmmioameka\|1\|0\|0\|Pontem Aptos Wallet\|phkbamefinggmakgklpkljjmgibohnba\|1\|0\|0\|Petra Aptos Wallet\|ejjladinnckdgjemekebdpeokbikhfci\|1\|0\|0\|Martian Aptos Wallet\|efbglgofoippbgcjepnhiblaibcnclgk\|1\|0\|0\|Finnie\|cjmkndjhnagcfbpiemnkdpomccnjblmj\|1\|0\|0\|Leap Terra Wallet\|aijcbedoijmgnlmjeegjaglmepbmpkpi\|1\|0\|0\|Trezor Password Manager\|imloifkgjagghnncjkhggdhalmcnfklk\|1\|0\|0\|Authenticator\|bhghoamapcdpbohphigoooaddinpkbai\|1\|0\|0\|
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: jsc.exe, 00000005.00000002.2967048972.0000000004619000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ) for Ethereum-based blockchains and cryptographically secured digital assets. The in-app wallet service is provided by our affiliate, Blueboard Limited, which is solely responsible for its operation. Use of the wallet service is subject to Blueboard
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5tg.0.exe, 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004

Yara detected Credential Stealer

Source: Yara match	File source: 0000000D.00000002.2456883549.0000000000447000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u5tg.0.exe PID: 8080, type: MEMORYSTR

Remote Access Functionality

Yara detected Mars stealer

Source: Yara match	File source: 27.2.u5lo.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.u5lo.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.u5tg.0.exe.3590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.u5lo.0.exe.1ba0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.u5tg.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.u5lo.0.exe.1bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.u5lo.0.exe.1bd0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.u5tg.0.exe.1bb0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.u220.0.exe.35c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.u5tg.0.exe.3590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.u5lo.0.exe.1ba0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.u220.0.exe.35c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.u5tg.0.exe.1bb0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.u5tg.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000003.1746772797.0000000003590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1889376133.00000000035C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2640607262.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1875392962.0000000001BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2470863926.0000000001BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2628808333.0000000000400000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2456883549.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match

File source: C:\Users\user\Documents\SimpleAdobe\CCN3NQ4YsQxXhtmcSRpYcrYn.exe, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 0000000D.00000002.2473396131.0000000001C24000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2700544037.0000000001DA4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u5tg.0.exe PID: 8080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: u5lo.0.exe PID: 6604, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 27.2.u5lo.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.u5lo.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.u5tg.0.exe.3590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.u5lo.0.exe.1ba0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.u5tg.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.u5lo.0.exe.1bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.u5lo.0.exe.1bd0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.u5tg.0.exe.1bb0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.u220.0.exe.35c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.u5tg.0.exe.3590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.u5lo.0.exe.1ba0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.3.u220.0.exe.35c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.u5tg.0.exe.1bb0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.u5tg.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000003.1746772797.0000000003590000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1889376133.00000000035C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2640607262.0000000001BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.1875392962.0000000001BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2470863926.0000000001BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2628808333.0000000000400000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2456883549.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u5tg.0.exe PID: 8080, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match

File source: C:\Users\user\Documents\SimpleAdobe\CCN3NQ4YsQxXhtmcSRpYcrYn.exe, type: DROPPED

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\u5tg.0.exe

Code function: 13_2_68520B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,

13_2_68520B40

Windows Analysis Report
74fa486WVX.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Exploits

Compliance

Change of critical system settings

Spreading

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

ID:	1429048
Product:	CloudBasic
Start time:	11:53:06
Start date:	20.04.2024
Sample:	74fa486WVX.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	15ce9e885610d5b85500ea0d139f6d21
SHA1:	99f1392185a70453f33e15d6f5b75064217c2c18
SHA256:	95442c887f47bbb4b350fca87c45dc6ef95355ce86a63d7c2f50db2d92ae512e
Filetype:	Win64 Executable GUI (202006/5) 92.65%

Windows Analysis Report 74fa486WVX.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Exploits

Compliance

Change of critical system settings

Spreading

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report
74fa486WVX.exe

Malware Threat Intel
Provided by