Windows Analysis Report
KvS2rT08PQ.exe

Overview

General Information

Sample name: KvS2rT08PQ.exe
renamed because original name is a hash value
Original sample name: 2784277bd68152abf75c6c6d59fab7af.exe
Analysis ID: 1429103
MD5: 2784277bd68152abf75c6c6d59fab7af
SHA1: e1d047c97e3bdfe273b215b42eccde32ca2ca63f
SHA256: 737bba8d3e9ad3e1526bf5949962af3b37107c80c767c473a820999eae507fbc
Tags: exenjratRAT
Infos:

Detection

Blank Grabber, Njrat, Umbral Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Blank Grabber
Yara detected Njrat
Yara detected Umbral Stealer
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to disable the Task Manager (.Net Source)
Contains functionality to spread to USB devices (.Net source)
Disables zone checking for all users
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Uses netsh to modify the Windows network and firewall settings
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
PE file does not import any functions
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
NjRAT RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
 https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: KvS2rT08PQ.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Avira: detection malicious, Label: HEUR/AGEN.1307507
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Avira: detection malicious, Label: TR/Redcap.pwthy
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Avira: detection malicious, Label: TR/Dropper.Gen
Found malware configuration
Source: 1.0.Umbral.exe.253f8f30000.0.unpack Malware Configuration Extractor: Umbral Stealer {"C2 url": "https://discord.com/api/webhooks/1225910337656590376/EwVP3wlMQgDXxoBxwLhaflFWF2WGja-17Tz3uwtoNirVyl9iU_nVCUsOrUJN46JTk-_-", "Version": "v1.3"}
Source: 2.0.svchost.exe.e00000.0.unpack Malware Configuration Extractor: Njrat {"Campaign ID": "HacKed", "Version": "0.7d", "Install Name": "62b7d4736043995d94b02f8790cef504", "Install Dir": "Adobe Update", "Registry Value": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Network Seprator": "|'|'|"}
Multi AV Scanner detection for domain / URL
Source: 0.tcp.eu.ngrok.io Virustotal: Detection: 16% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Virustotal: Detection: 64% Perma Link
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Virustotal: Detection: 70% Perma Link
Source: C:\Users\user\AppData\Local\Temp\svchost.exe ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Virustotal: Detection: 77% Perma Link
Multi AV Scanner detection for submitted file
Source: KvS2rT08PQ.exe ReversingLabs: Detection: 68%
Source: KvS2rT08PQ.exe Virustotal: Detection: 71% Perma Link
Yara detected Njrat
Source: Yara match File source: 2.0.svchost.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000000.1643260716.0000000000E02000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4100093724.0000000003A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: svchost.exe PID: 6264, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: KvS2rT08PQ.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: KvS2rT08PQ.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\svchost.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: unknown HTTPS traffic detected: 104.26.0.5:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: KvS2rT08PQ.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: !costura.discordrpc.pdb.compressed source: ANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3C81000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: costura.discordrpc.pdb.compressed|||DiscordRPC.pdb|447C1853EECA30637A94415F07CA7CD3E384746B|27868 source: KvS2rT08PQ.exe, 00000000.00000002.1650214474.0000000002791000.00000004.00000800.00020000.00000000.sdmp, ANDYzz-protected.exe.0.dr
Source: Binary string: costura.hardcodet.wpf.taskbarnotification.pdb.compressed source: ANDYzz-protected.exe.0.dr
Source: Binary string: costura.costura.pdb.compressed source: ANDYzz-protected.exe.0.dr
Source: Binary string: 8costura.hardcodet.wpf.taskbarnotification.pdb.compressed source: ANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3C81000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|6C6000A5EAF8579850AB82A89BD6268776EB51AD|2608 source: KvS2rT08PQ.exe, 00000000.00000002.1650214474.0000000002791000.00000004.00000800.00020000.00000000.sdmp, ANDYzz-protected.exe.0.dr
Source: Binary string: costura.hardcodet.wpf.taskbarnotification.pdb.compressed|||Hardcodet.Wpf.TaskbarNotification.pdb|0FF074905FAAB506531D68962300EAF21DAF3B05|97792 source: KvS2rT08PQ.exe, 00000000.00000002.1650214474.0000000002791000.00000004.00000800.00020000.00000000.sdmp, ANDYzz-protected.exe.0.dr
Source: Binary string: costura.costura.pdb.compressed8 source: ANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3C81000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: costura.discordrpc.pdb.compressed source: ANDYzz-protected.exe.0.dr

Spreading
barindex
Contains functionality to spread to USB devices (.Net source)
Source: svchost.exe.0.dr, Usb1.cs .Net Code: infect
May infect USB drives
Source: svchost.exe, 00000002.00000000.1643260716.0000000000E02000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: \autorun.inf
Source: svchost.exe, 00000002.00000000.1643260716.0000000000E02000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: [autorun]
Source: svchost.exe, 00000002.00000000.1643260716.0000000000E02000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: autorun.inf
Source: svchost.exe.0.dr Binary or memory string: \autorun.inf
Source: svchost.exe.0.dr Binary or memory string: [autorun]
Source: svchost.exe.0.dr Binary or memory string: autorun.inf

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49737 -> 18.158.249.75:19177
Source: Traffic Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49737 -> 18.158.249.75:19177
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49740 -> 18.158.249.75:19177
Source: Traffic Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49740 -> 18.158.249.75:19177
Source: Traffic Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49740 -> 18.158.249.75:19177
Source: Traffic Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49740 -> 18.158.249.75:19177
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49747 -> 18.158.249.75:19177
Source: Traffic Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49747 -> 18.158.249.75:19177
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49749 -> 18.158.249.75:19177
Source: Traffic Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49749 -> 18.158.249.75:19177
Source: Traffic Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49749 -> 18.158.249.75:19177
Source: Traffic Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49749 -> 18.158.249.75:19177
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49750 -> 3.125.209.94:19177
Source: Traffic Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49750 -> 3.125.209.94:19177
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49751 -> 3.125.209.94:19177
Source: Traffic Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49751 -> 3.125.209.94:19177
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49752 -> 3.125.209.94:19177
Source: Traffic Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49752 -> 3.125.209.94:19177
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49753 -> 3.125.209.94:19177
Source: Traffic Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49753 -> 3.125.209.94:19177
Source: Traffic Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49753 -> 3.125.209.94:19177
Source: Traffic Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49753 -> 3.125.209.94:19177
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49754 -> 3.125.223.134:19177
Source: Traffic Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49754 -> 3.125.223.134:19177
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49755 -> 3.125.223.134:19177
Source: Traffic Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49755 -> 3.125.223.134:19177
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49756 -> 3.125.223.134:19177
Source: Traffic Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49756 -> 3.125.223.134:19177
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49757 -> 3.125.223.134:19177
Source: Traffic Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49757 -> 3.125.223.134:19177
Source: Traffic Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49757 -> 3.125.223.134:19177
Source: Traffic Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49757 -> 3.125.223.134:19177
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49758 -> 3.125.223.134:19177
Source: Traffic Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49758 -> 3.125.223.134:19177
Source: Traffic Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49758 -> 3.125.223.134:19177
Source: Traffic Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49758 -> 3.125.223.134:19177
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49759 -> 3.124.142.205:19177
Source: Traffic Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49759 -> 3.124.142.205:19177
Source: Traffic Snort IDS: 2814860 ETPRO TROJAN njRAT/Bladabindi CnC Callback (act) 192.168.2.4:49759 -> 3.124.142.205:19177
Source: Traffic Snort IDS: 2825564 ETPRO TROJAN Generic njRAT/Bladabindi CnC Activity (act) 192.168.2.4:49759 -> 3.124.142.205:19177
Source: Traffic Snort IDS: 2033132 ET TROJAN Generic njRAT/Bladabindi CnC Activity (ll) 192.168.2.4:49760 -> 3.124.142.205:19177
Source: Traffic Snort IDS: 2814856 ETPRO TROJAN njrat ver 0.7d Malware CnC Callback (inf) 192.168.2.4:49760 -> 3.124.142.205:19177
System process connects to network (likely due to code injection or exploit)
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Network Connect: 3.124.142.205 19177 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Network Connect: 3.125.223.134 19177 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Network Connect: 3.125.209.94 19177 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Network Connect: 18.158.249.75 19177 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://discord.com/api/webhooks/1225910337656590376/EwVP3wlMQgDXxoBxwLhaflFWF2WGja-17Tz3uwtoNirVyl9iU_nVCUsOrUJN46JTk-_-
Yara detected Generic Downloader
Source: Yara match File source: 3.2.ANDYzz-protected.exe.191dc700000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.ANDYzz-protected.exe.191d3c91a78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.4123441835.00000191DC700000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49737 -> 18.158.249.75:19177
Source: global traffic TCP traffic: 192.168.2.4:49750 -> 3.125.209.94:19177
Source: global traffic TCP traffic: 192.168.2.4:49754 -> 3.125.223.134:19177
Source: global traffic TCP traffic: 192.168.2.4:49759 -> 3.124.142.205:19177
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /api/1.0/ HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: keyauth.winContent-Length: 376Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /api/1.0/ HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: keyauth.winContent-Length: 162Expect: 100-continue
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View IP Address: 3.125.223.134 3.125.223.134
Source: Joe Sandbox View IP Address: 3.125.209.94 3.125.209.94
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: ip-api.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: keyauth.win
Source: unknown HTTP traffic detected: POST /api/1.0/ HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: keyauth.winContent-Length: 376Expect: 100-continueConnection: Keep-Alive
Source: ANDYzz-protected.exe, 00000003.00000002.4115838115.00000191D3C81000.00000004.00000800.00020000.00000000.sdmp, ANDYzz-protected.exe, 00000003.00000002.4123441835.00000191DC700000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: ANDYzz-protected.exe, 00000003.00000002.4115838115.00000191D3C81000.00000004.00000800.00020000.00000000.sdmp, ANDYzz-protected.exe, 00000003.00000002.4123441835.00000191DC700000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: ANDYzz-protected.exe, 00000003.00000002.4115838115.00000191D3C81000.00000004.00000800.00020000.00000000.sdmp, ANDYzz-protected.exe, 00000003.00000002.4123441835.00000191DC700000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: ANDYzz-protected.exe, 00000003.00000002.4115838115.00000191D3C81000.00000004.00000800.00020000.00000000.sdmp, ANDYzz-protected.exe, 00000003.00000002.4123441835.00000191DC700000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ANDYzz-protected.exe, 00000003.00000002.4115838115.00000191D3C81000.00000004.00000800.00020000.00000000.sdmp, ANDYzz-protected.exe, 00000003.00000002.4123441835.00000191DC700000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ANDYzz-protected.exe, 00000003.00000002.4115838115.00000191D3C81000.00000004.00000800.00020000.00000000.sdmp, ANDYzz-protected.exe, 00000003.00000002.4123441835.00000191DC700000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Umbral.exe, 00000001.00000002.1697775557.00000253800AE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://gstatic.com
Source: Umbral.exe, 00000001.00000002.1697775557.00000253800F3000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 00000001.00000002.1697775557.0000025380108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com
Source: Umbral.exe, 00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmp, Umbral.exe.0.dr String found in binary or memory: http://ip-api.com/json/?fields=225545
Source: Umbral.exe, 00000001.00000002.1697775557.00000253800F3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: Umbral.exe, 00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmp, Umbral.exe.0.dr String found in binary or memory: http://ip-api.com/line/?fields=hostingI7AB5C494-39F5-4941-9163-47F54D6D5016I032E02B4-0499-05C3-0806-
Source: Umbral.exe, 00000001.00000002.1699911979.00000253FB552000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://microsoft.co
Source: ANDYzz-protected.exe, 00000003.00000002.4115838115.00000191D3C81000.00000004.00000800.00020000.00000000.sdmp, ANDYzz-protected.exe, 00000003.00000002.4123441835.00000191DC700000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: ANDYzz-protected.exe, 00000003.00000002.4115838115.00000191D3C81000.00000004.00000800.00020000.00000000.sdmp, ANDYzz-protected.exe, 00000003.00000002.4123441835.00000191DC700000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: ANDYzz-protected.exe, 00000003.00000002.4115838115.00000191D3C81000.00000004.00000800.00020000.00000000.sdmp, ANDYzz-protected.exe, 00000003.00000002.4123441835.00000191DC700000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: ANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3D05000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: ANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3D05000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.datacontract.org/2004/07/tWQFFgygASaEccWKmNiVdEXnTMYHruQoFGGxlHMVsnlabuZvwozniMWOZDMT
Source: Umbral.exe, 00000001.00000002.1697775557.000002538008E000.00000004.00000800.00020000.00000000.sdmp, ANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: ANDYzz-protected.exe, 00000003.00000002.4126923921.00000191DDA42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: Umbral.exe.0.dr String found in binary or memory: https://discord.com/api/v10/users/
Source: Umbral.exe, 00000001.00000002.1697775557.0000025380001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/webhooks/1225910337656590376/EwVP3wlMQgDXxoBxwLhaflFWF2WGja-17Tz3uwtoNirVyl9
Source: Umbral.exe, 00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmp, Umbral.exe.0.dr String found in binary or memory: https://discordapp.com/api/v9/users/
Source: Umbral.exe.0.dr String found in binary or memory: https://github.com/Blank-c/Umbral-Stealer
Source: Umbral.exe, 00000001.00000002.1697775557.00000253800A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gstatic.com
Source: Umbral.exe, 00000001.00000002.1698819541.00000253F9220000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gstatic.com/
Source: Umbral.exe, 00000001.00000002.1697775557.0000025380001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gstatic.com/generate_204
Source: Umbral.exe, 00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmp, Umbral.exe.0.dr String found in binary or memory: https://gstatic.com/generate_204e==================Umbral
Source: ANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gunaframework.com/api/licensing.php
Source: ANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gunaui.com/
Source: ANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gunaui.com/api/licensing.php
Source: ANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gunaui.com/pricing
Source: ANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3D05000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://keyauth.cc/panel/amine0xp/ANDYxx/
Source: ANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://keyauth.win
Source: ANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3C81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://keyauth.win/api/1.0/
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown HTTPS traffic detected: 104.26.0.5:443 -> 192.168.2.4:49733 version: TLS 1.2
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

E-Banking Fraud
barindex
Yara detected Njrat
Source: Yara match File source: 2.0.svchost.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000000.1643260716.0000000000E02000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4100093724.0000000003A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: svchost.exe PID: 6264, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.0.svchost.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 2.0.svchost.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 2.0.svchost.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.svchost.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 1.0.Umbral.exe.253f8f30000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 00000002.00000000.1643260716.0000000000E02000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000002.00000000.1643260716.0000000000E02000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe, type: DROPPED Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Code function: 0_2_00007FFD9B880A31 0_2_00007FFD9B880A31
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_05CC4298 2_2_05CC4298
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_05CC4287 2_2_05CC4287
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Code function: 3_2_00007FFD9B8B0AAD 3_2_00007FFD9B8B0AAD
PE file does not import any functions
Source: ANDYzz-protected.exe.0.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: KvS2rT08PQ.exe, 00000000.00000002.1650214474.0000000002791000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameANDYzz.exe. vs KvS2rT08PQ.exe
Source: KvS2rT08PQ.exe, 00000000.00000002.1650647014.000000001B219000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs KvS2rT08PQ.exe
Source: KvS2rT08PQ.exe Binary or memory string: OriginalFilenameNAM HERE.exe4 vs KvS2rT08PQ.exe
Uses 32bit PE files
Source: KvS2rT08PQ.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 2.0.svchost.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 2.0.svchost.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.0.svchost.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 2.0.svchost.exe.e00000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 1.0.Umbral.exe.253f8f30000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 00000002.00000000.1643260716.0000000000E02000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000002.00000000.1643260716.0000000000E02000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: ANDYzz-protected.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ANDYzz-protected.exe.0.dr Static PE information: Section: fgen ZLIB complexity 1.000328828011611
Source: Umbral.exe.0.dr, --.cs Base64 encoded string: 'U2V0LU1wUHJlZmVyZW5jZSAtRGlzYWJsZUludHJ1c2lvblByZXZlbnRpb25TeXN0ZW0gJHRydWUgLURpc2FibGVJT0FWUHJvdGVjdGlvbiAkdHJ1ZSAtRGlzYWJsZVJlYWx0aW1lTW9uaXRvcmluZyAkdHJ1ZSAtRGlzYWJsZVNjcmlwdFNjYW5uaW5nICR0cnVlIC1FbmFibGVDb250cm9sbGVkRm9sZGVyQWNjZXNzIERpc2FibGVkIC1FbmFibGVOZXR3b3JrUHJvdGVjdGlvbiBBdWRpdE1vZGUgLUZvcmNlIC1NQVBTUmVwb3J0aW5nIERpc2FibGVkIC1TdWJtaXRTYW1wbGVzQ29uc2VudCBOZXZlclNlbmQgJiYgcG93ZXJzaGVsbCBTZXQtTXBQcmVmZXJlbmNlIC1TdWJtaXRTYW1wbGVzQ29uc2VudCAy'
Source: classification engine Classification label: mal100.spre.phis.troj.spyw.evad.winEXE@19/9@6/6
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_065324CE AdjustTokenPrivileges, 2_2_065324CE
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_06532497 AdjustTokenPrivileges, 2_2_06532497
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\KvS2rT08PQ.exe.log Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Mutant created: \Sessions\1\BaseNamedObjects\6uXEbtir2ybaHnvlC
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Mutant created: \Sessions\1\BaseNamedObjects\62b7d4736043995d94b02f8790cef504
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7232:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Mutant created: \Sessions\1\BaseNamedObjects\heh5456GeEquhSfLaVSv
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7440:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7304:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7428:120:WilError_03
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe File created: C:\Users\user\AppData\Local\Temp\Umbral.exe Jump to behavior
Source: KvS2rT08PQ.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: KvS2rT08PQ.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: KvS2rT08PQ.exe ReversingLabs: Detection: 68%
Source: KvS2rT08PQ.exe Virustotal: Detection: 71%
Source: unknown Process created: C:\Users\user\Desktop\KvS2rT08PQ.exe "C:\Users\user\Desktop\KvS2rT08PQ.exe"
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Process created: C:\Users\user\AppData\Local\Temp\Umbral.exe "C:\Users\user\AppData\Local\Temp\Umbral.exe"
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Process created: C:\Users\user\AppData\Local\Temp\svchost.exe "C:\Users\user\AppData\Local\Temp\svchost.exe"
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Process created: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe "C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe"
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuid
Source: C:\Windows\System32\wbem\WMIC.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall delete allowedprogram "C:\Users\user\AppData\Local\Temp\svchost.exe"
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Process created: C:\Users\user\AppData\Local\Temp\Umbral.exe "C:\Users\user\AppData\Local\Temp\Umbral.exe" Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Process created: C:\Users\user\AppData\Local\Temp\svchost.exe "C:\Users\user\AppData\Local\Temp\svchost.exe" Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Process created: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe "C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall delete allowedprogram "C:\Users\user\AppData\Local\Temp\svchost.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: iconcodecservice.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: KvS2rT08PQ.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: KvS2rT08PQ.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: KvS2rT08PQ.exe Static file information: File size 2447360 > 1048576
Source: C:\Users\user\AppData\Local\Temp\svchost.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: KvS2rT08PQ.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x24d600
Source: KvS2rT08PQ.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: !costura.discordrpc.pdb.compressed source: ANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3C81000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: costura.discordrpc.pdb.compressed|||DiscordRPC.pdb|447C1853EECA30637A94415F07CA7CD3E384746B|27868 source: KvS2rT08PQ.exe, 00000000.00000002.1650214474.0000000002791000.00000004.00000800.00020000.00000000.sdmp, ANDYzz-protected.exe.0.dr
Source: Binary string: costura.hardcodet.wpf.taskbarnotification.pdb.compressed source: ANDYzz-protected.exe.0.dr
Source: Binary string: costura.costura.pdb.compressed source: ANDYzz-protected.exe.0.dr
Source: Binary string: 8costura.hardcodet.wpf.taskbarnotification.pdb.compressed source: ANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3C81000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|6C6000A5EAF8579850AB82A89BD6268776EB51AD|2608 source: KvS2rT08PQ.exe, 00000000.00000002.1650214474.0000000002791000.00000004.00000800.00020000.00000000.sdmp, ANDYzz-protected.exe.0.dr
Source: Binary string: costura.hardcodet.wpf.taskbarnotification.pdb.compressed|||Hardcodet.Wpf.TaskbarNotification.pdb|0FF074905FAAB506531D68962300EAF21DAF3B05|97792 source: KvS2rT08PQ.exe, 00000000.00000002.1650214474.0000000002791000.00000004.00000800.00020000.00000000.sdmp, ANDYzz-protected.exe.0.dr
Source: Binary string: costura.costura.pdb.compressed8 source: ANDYzz-protected.exe, 00000003.00000002.4100234414.00000191C3C81000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: costura.discordrpc.pdb.compressed source: ANDYzz-protected.exe.0.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: svchost.exe.0.dr, Fransesco.cs .Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Yara detected Costura Assembly Loader
Source: Yara match File source: 3.0.ANDYzz-protected.exe.191c1be0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1650214474.0000000002791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.4100234414.00000191C3C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.1646530842.00000191C1C92000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: KvS2rT08PQ.exe PID: 6500, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ANDYzz-protected.exe PID: 2736, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe, type: DROPPED
Binary contains a suspicious time stamp
Source: Umbral.exe.0.dr Static PE information: 0x9C61056C [Wed Feb 19 18:54:36 2053 UTC]
PE file contains sections with non-standard names
Source: ANDYzz-protected.exe.0.dr Static PE information: section name: fgen
Source: ANDYzz-protected.exe.0.dr Static PE information: section name: fgen
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Code function: 0_2_00007FFD9B8800BD pushad ; iretd 0_2_00007FFD9B8800C1
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Code function: 1_2_00007FFD9B8B00BD pushad ; iretd 1_2_00007FFD9B8B00C1
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 2_2_033B313C push ebp; ret 2_2_033B3176
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Code function: 3_2_00007FFD9B79D2A5 pushad ; iretd 3_2_00007FFD9B79D2A6
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Code function: 3_2_00007FFD9B8B7963 push ebx; retf 3_2_00007FFD9B8B796A
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Code function: 3_2_00007FFD9B8B7535 push ebx; iretd 3_2_00007FFD9B8B756A
Source: ANDYzz-protected.exe.0.dr Static PE information: section name: fgen entropy: 7.999509357708395
Source: ANDYzz-protected.exe.0.dr Static PE information: section name: .text entropy: 7.969460959015525

Persistence and Installation Behavior
barindex
Drops PE files with benign system names
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe File created: C:\Users\user\AppData\Local\Temp\svchost.exe Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe File created: C:\Users\user\AppData\Local\Temp\svchost.exe Jump to dropped file
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe File created: C:\Users\user\AppData\Local\Temp\Umbral.exe Jump to dropped file
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe File created: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Jump to dropped file
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Check if machine is in data center or colocation facility
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Memory allocated: 8E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Memory allocated: 1A790000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Memory allocated: 253F9290000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Memory allocated: 253FACF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Memory allocated: 3A90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Memory allocated: 3A90000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Memory allocated: 5A90000 memory commit | memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Memory allocated: 191C2180000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Memory allocated: 191DBC80000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 599874 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 599762 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 599546 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 599435 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 599308 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 599201 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 599093 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 598983 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 598875 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 598765 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 598656 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 598545 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 598437 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 598328 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 598218 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 598109 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 597955 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 597828 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 597716 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 597608 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 597500 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 597390 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 597275 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 597170 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 597061 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 596923 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 596797 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 596672 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 596560 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 596451 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 596343 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 596233 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 596125 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 595907 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 595780 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 595672 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 595553 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 595422 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 595312 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 595201 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 595093 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 594984 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 594867 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 594750 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 594640 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 594530 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 594422 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 594312 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 594193 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Window / User API: threadDelayed 475 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Window / User API: threadDelayed 769 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Window / User API: threadDelayed 5317 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Window / User API: threadDelayed 3214 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Window / User API: foregroundWindowGot 778 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Window / User API: foregroundWindowGot 764 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Window / User API: threadDelayed 3618 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Window / User API: threadDelayed 5963 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Window / User API: windowPlacementGot 1978 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe TID: 6672 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 4944 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 6948 Thread sleep count: 475 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 3004 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe TID: 6380 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 7060 Thread sleep count: 769 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 7060 Thread sleep time: -76900s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 6392 Thread sleep count: 5317 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 6392 Thread sleep time: -5317000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 6392 Thread sleep count: 3214 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 6392 Thread sleep time: -3214000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -28592453314249787s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -599874s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -599762s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -599546s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -599435s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -599308s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -599201s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -599093s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -598983s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -598875s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -598765s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -598656s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -598545s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -598437s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -598328s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -598218s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -598109s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -597955s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -597828s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -597716s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -597608s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -597500s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -597390s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -597275s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -597170s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -597061s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -596923s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -596797s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -596672s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -596560s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -596451s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -596343s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -596233s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -596125s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -595907s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -595780s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -595672s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -595553s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -595422s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -595312s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -595201s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -595093s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -594984s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -594867s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -594750s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -594640s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -594530s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -594422s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -594312s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe TID: 7520 Thread sleep time: -594193s >= -30000s Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 599874 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 599762 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 599546 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 599435 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 599308 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 599201 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 599093 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 598983 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 598875 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 598765 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 598656 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 598545 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 598437 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 598328 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 598218 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 598109 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 597955 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 597828 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 597716 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 597608 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 597500 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 597390 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 597275 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 597170 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 597061 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 596923 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 596797 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 596672 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 596560 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 596451 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 596343 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 596233 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 596125 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 595907 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 595780 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 595672 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 595553 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 595422 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 595312 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 595201 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 595093 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 594984 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 594867 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 594750 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 594640 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 594530 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 594422 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 594312 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Thread delayed: delay time: 594193 Jump to behavior
Source: Umbral.exe, 00000001.00000002.1697775557.00000253800DE000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmp, Umbral.exe.0.dr Binary or memory string: vboxtray
Source: Umbral.exe.0.dr Binary or memory string: vboxservice
Source: Umbral.exe, 00000001.00000002.1697775557.00000253800DE000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmp, Umbral.exe.0.dr Binary or memory string: qemu-ga
Source: ANDYzz-protected.exe, 00000003.00000002.4131666608.00000191DE220000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllo}
Source: Umbral.exe.0.dr Binary or memory string: vmwareuser
Source: Umbral.exe, 00000001.00000002.1697775557.00000253800DE000.00000004.00000800.00020000.00000000.sdmp, Umbral.exe, 00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmp, Umbral.exe.0.dr Binary or memory string: vmusrvc
Source: netsh.exe, 00000007.00000003.1671541873.00000000009D2000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 0000000A.00000003.1683144115.0000000003742000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllS
Source: Umbral.exe.0.dr Binary or memory string: vmwareservice+discordtokenprotector
Source: svchost.exe, 00000002.00000002.4084254403.0000000001494000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Umbral.exe.0.dr Binary or memory string: vmsrvc
Source: Umbral.exe.0.dr Binary or memory string: vmtoolsd
Source: Umbral.exe.0.dr Binary or memory string: vmwaretray
Source: KvS2rT08PQ.exe, 00000000.00000002.1649444082.00000000009DD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Umbral.exe, 00000001.00000002.1697775557.00000253800DE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmwareservice
Source: Umbral.exe, 00000001.00000002.1698819541.00000253F920C000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000009.00000003.1681145917.0000000000B01000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000002.00000002.4084198852.000000000147D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlld
Source: C:\Windows\System32\wbem\WMIC.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Network Connect: 3.124.142.205 19177 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Network Connect: 3.125.223.134 19177 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Network Connect: 3.125.209.94 19177 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Network Connect: 18.158.249.75 19177 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Process created: C:\Users\user\AppData\Local\Temp\Umbral.exe "C:\Users\user\AppData\Local\Temp\Umbral.exe" Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Process created: C:\Users\user\AppData\Local\Temp\svchost.exe "C:\Users\user\AppData\Local\Temp\svchost.exe" Jump to behavior
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Process created: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe "C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Process created: C:\Windows\System32\wbem\WMIC.exe "wmic.exe" csproduct get uuid Jump to behavior
Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/21 | 12:20:06 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:16:35 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:01:02 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:43:40 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:11:19 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 03:47:45 - Program Manager
Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/20 | 22:41:00 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 03:57:04 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:22:26 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:50:23 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:34:25 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:31:12 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:42:29 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:13:01 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:52:36 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:21:53 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:58:16 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:19:11 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:09:52 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 10:08:35 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 03:26:21 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:48:57 - Program Manager
Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/21 | 12:38:33 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:14:31 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 06:58:25 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/21 | 13:46:37 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:24:39 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:06:28 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:06:19 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 19:30:26 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:35:55 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:18:18 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:57:43 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:34:16 - Program Manager
Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/21 | 12:07:50 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:08:59 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:45:14 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:24:57 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:43:59 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 10:23:12 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:32:42 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:42:01 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:53:18 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 10:13:53 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 20:19:20 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:32:51 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:59:46 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:11:37 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:27:24 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:38:22 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:35:28 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 19:47:23 - Program Manager
Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/21 | 13:09:06 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:53:09 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:50:32 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:19:39 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:19:48 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:45:05 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:00:57 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:02:12 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:27:33 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 03:27:51 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:35:46 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:10:16 - Program Manager
Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/21 | 12:37:03 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 19:41:15 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:16:44 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 18:33:11 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 19:31:56 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 20:56:51 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:58:07 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:38:02 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 10:07:05 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:48:48 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/21 | 14:22:28 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 06:36:47 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 06:15:23 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:02:14 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:46:35 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:07:30 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:33:34 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:23:27 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:54:39 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 03:35:26 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:08:40 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:02:32 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:36:29 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/24 | 00:03:48 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:08:22 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:55:30 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:15:05 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:22:35 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:18:47 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:23:38 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:28:06 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:17:08 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:15:34 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:26:50 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:23:56 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:31:41 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:44:50 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:39:05 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:25:11 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:41:00 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:12:10 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:15:52 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:22:06 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:47:27 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:45:53 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:12:47 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:41:19 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:55:12 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:49:02 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:37:30 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:39:43 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:55:10 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:45:34 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 03:24:37 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 03:36:19 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:03:44 - Program Manager
Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/21 | 13:20:35 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 10:03:57 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:53:38 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/21 | 13:49:51 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 19:56:28 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:09:50 - Program Manager
Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/21 | 12:12:31 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:58:44 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:01:31 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 10:01:34 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:53:28 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:34:54 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:10:27 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:25:49 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:44:13 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:45:24 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:27:13 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 06:52:17 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:27:04 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 06:00:10 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 18:01:37 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:45:51 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:57:06 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:29:36 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:32:22 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:08:03 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 03:37:49 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 06:24:28 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 03:47:08 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:56:40 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:11:57 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:36:58 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:40:26 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 06:05:27 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:21:16 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:25:30 - Program Manager
Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/20 | 21:32:42 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:00:48 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:21:42 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:56:31 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:28:54 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:06:38 - Program Manager
Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/20 | 21:42:01 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:06:39 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:40:17 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 03:21:43 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:43:31 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 10:12:23 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 03:31:02 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:08:20 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:51:35 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:10:07 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:59:09 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:25:20 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:41:57 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:40:36 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 06:59:55 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 03:30:48 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 03:32:32 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:38:42 - Program Manager
Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/21 | 12:55:33 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:07:02 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:51:06 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:31:21 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:54:56 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:04:45 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 06:16:53 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/21 | 13:42:50 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:53:29 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:14:04 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:20:12 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:10:53 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:12:49 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 20:59:45 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:22:08 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:18:46 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:34:35 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:42:49 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:44:23 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 06:30:00 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:42:39 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:03:05 - Program Manager
Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/21 | 12:53:49 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:44:04 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:42:30 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 20:31:59 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:11:09 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:26:41 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 03:28:44 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:36:00 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:50:34 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 03:38:03 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:36:48 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:46:07 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:25:29 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 19:24:15 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:10:56 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:33:24 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:37:59 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:58:53 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:12:11 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:47:18 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 06:41:28 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:32:02 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:47:28 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:40:54 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:57:35 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 10:15:00 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:40:06 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:28:17 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:11:29 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:36:11 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:16:45 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:59:54 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:03:25 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:46:34 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:17:16 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:06:09 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:38:30 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:56:50 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 03:59:27 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:03:34 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 06:09:12 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:23:00 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 06:12:09 - Program Manager
Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/21 | 09:12:09 - Program Manager
Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/21 | 03:52:50 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:04:05 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:58:33 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 19:42:08 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:15:24 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:24:47 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:20:03 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 10:06:12 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:03:07 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 19:31:19 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:42:00 - Program Manager
Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/21 | 12:33:18 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:48:08 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:34:17 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:56:05 - Program Manager
Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/21 | 13:18:31 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 18:58:20 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:05:26 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:26:13 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:17:28 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:48:01 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 18:23:15 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/21 | 14:14:16 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:57:53 - Program Manager
Source: svchost.exe, 00000002.00000000.1643260716.0000000000E02000.00000002.00000001.01000000.00000007.sdmp, svchost.exe.0.dr Binary or memory string: Shell_traywnd+MostrarBarraDeTarefas
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:42:20 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:37:19 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:42:11 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:01:51 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 03:48:38 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:50:24 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:02:04 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:50:15 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:51:43 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:56:32 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:35:38 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 10:04:11 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:35:45 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:53:17 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:49:31 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:04:35 - Program Manager
Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/21 | 13:12:01 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:12:39 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 10:09:28 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:32:05 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:45:06 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/21 | 14:20:05 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:14:23 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:07:40 - Program Manager
Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/21 | 09:03:04 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:40:09 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:19:12 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:39:13 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:21:04 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:23:46 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 03:21:06 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:46:27 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:25:22 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/21 | 14:38:32 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:38:23 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:37:12 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:29:35 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:49:01 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:48:58 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 03:27:14 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:45:16 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:37:39 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:25:40 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:14:21 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:11:08 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:29:56 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 19:54:27 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 03:43:21 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:39:31 - Program Manager
Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/21 | 13:10:00 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 06:03:04 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:47:37 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:41:10 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/21 | 13:58:19 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:51:25 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.0000000003E91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/21 | 13:27:36 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/21 | 14:37:24 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:46:14 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:36:39 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/21 | 14:16:00 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 06:01:40 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:52:46 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:19:58 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:33:23 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:58:36 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 10:13:16 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 03:39:33 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:55:39 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:15:44 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:04:25 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:41:27 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 10:10:00 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:47:35 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:47:00 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 03:22:14 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 03:49:09 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:23:48 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:48:18 - Program Manager
Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/21 | 12:43:14 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 06:06:57 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:14:41 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:22:55 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:00:50 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:34:27 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:34:37 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 06:07:28 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:26:33 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/21 | 13:51:18 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:04:15 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:46:09 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:36:01 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:54:20 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:50:52 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:49:21 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:43:01 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 06:44:05 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 03:52:26 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:35:25 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:28:42 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:08:49 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:39:03 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:55:59 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:00:02 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 03:20:13 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:59:17 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:24:29 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:45:26 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:59:37 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:47:55 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:45:43 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:55:01 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 03:42:08 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:09:42 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:03:32 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:37:22 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:59:34 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:51:05 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:27:21 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:59:47 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 03:40:44 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:16:05 - Program Manager
Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/21 | 12:28:37 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:24:09 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:24:19 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:59:07 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:16:15 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:22:45 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:18:57 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:20:33 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:42:28 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:05:06 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:54:58 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 03:38:40 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 03:31:19 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:30:21 - Program Manager
Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/21 | 11:53:57 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 03:33:03 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:38:50 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 20:41:55 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:56:42 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:41:07 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 19:10:32 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:46:44 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 18:39:58 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:13:50 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:03:52 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 06:17:46 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:49:29 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:18:09 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 06:10:45 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:58:26 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:01:48 - Program Manager
Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/21 | 12:08:06 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:15:14 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:51:08 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 10:22:58 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:07:10 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 03:28:07 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/21 | 13:48:38 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 03:36:56 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:13:40 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:07:58 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:54:00 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:36:21 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:04:08 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:52:06 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:04:18 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:39:06 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:07:00 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:44:02 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:25:12 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:46:24 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 03:56:33 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:00:31 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:33:54 - Program Manager
Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/21 | 04:19:57 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:36:17 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:25:00 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.0000000003B42000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/21 | 13:32:32 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 10:15:54 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:40:00 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:12:30 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:53:07 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:59:58 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 20:45:03 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:20:34 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:49:50 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:12:17 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/24 | 00:03:31 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:29:34 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:04:13 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:05:43 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:05:48 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 03:25:50 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:31:14 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:10:52 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:13:51 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:23:10 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:27:06 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/21 | 14:35:18 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:14:34 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 10:18:53 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:54:37 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:22:38 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:10:09 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:07:51 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:17:10 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:54:46 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:39:50 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:35:35 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:38:34 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:46:51 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:21:50 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:00:13 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:54:41 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 23:51:42 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:45:21 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 08:38:52 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 22:38:20 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000005491000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 09:46:56 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:19:22 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 03:53:34 - Program Manager
Source: svchost.exe, 00000002.00000002.4100093724.0000000003BD7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.4100093724.000000000400C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/21 | 13:23:12 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 06:11:16 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 03:52:04 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 05:03:12 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 04:39:25 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/23 | 21:57:36 - Program Manager
Source: svchost.exe, 00000002.00000002.4105943470.0000000004A91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 24/04/26 | 07:32:15 - Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Queries volume information: C:\Users\user\Desktop\KvS2rT08PQ.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Umbral.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Umbral.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ANDYzz-protected.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\KvS2rT08PQ.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Contains functionality to disable the Task Manager (.Net Source)
Source: svchost.exe.0.dr, Fransesco.cs .Net Code: INS
Disables zone checking for all users
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS Jump to behavior
Modifies the windows firewall
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE
Uses netsh to modify the Windows network and firewall settings
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE

Stealing of Sensitive Information
barindex
Yara detected Blank Grabber
Source: Yara match File source: 1.0.Umbral.exe.253f8f30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Umbral.exe PID: 2180, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Umbral.exe, type: DROPPED
Yara detected Njrat
Source: Yara match File source: 2.0.svchost.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000000.1643260716.0000000000E02000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4100093724.0000000003A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: svchost.exe PID: 6264, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED
Yara detected Umbral Stealer
Source: Yara match File source: 1.0.Umbral.exe.253f8f30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Umbral.exe PID: 2180, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Umbral.exe, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: Umbral.exe, 00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: Electrum
Source: Umbral.exe, 00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: BytecoinJaxx!com.liberty.jaxx
Source: Umbral.exe, 00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: Exodus
Source: Umbral.exe, 00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: Ethereum
Source: Umbral.exe, 00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmp String found in binary or memory: keystore
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: Umbral.exe PID: 2180, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Blank Grabber
Source: Yara match File source: 1.0.Umbral.exe.253f8f30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Umbral.exe PID: 2180, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Umbral.exe, type: DROPPED
Yara detected Njrat
Source: Yara match File source: 2.0.svchost.exe.e00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000000.1643260716.0000000000E02000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4100093724.0000000003A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: svchost.exe PID: 6264, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED
Yara detected Umbral Stealer
Source: Yara match File source: 1.0.Umbral.exe.253f8f30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000000.1642162962.00000253F8F32000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Umbral.exe PID: 2180, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Umbral.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1429103 Sample: KvS2rT08PQ.exe Startdate: 20/04/2024 Architecture: WINDOWS Score: 100 43 0.tcp.eu.ngrok.io 2->43 45 keyauth.win 2->45 47 ip-api.com 2->47 59 Snort IDS alert for network traffic 2->59 61 Multi AV Scanner detection for domain / URL 2->61 63 Found malware configuration 2->63 65 16 other signatures 2->65 9 KvS2rT08PQ.exe 5 2->9         started        signatures3 process4 file5 37 C:\Users\user\AppData\Local\...\svchost.exe, PE32 9->37 dropped 39 C:\Users\user\AppData\Local\Temp\Umbral.exe, PE32 9->39 dropped 41 C:\Users\user\...\ANDYzz-protected.exe, PE32+ 9->41 dropped 67 Drops PE files with benign system names 9->67 13 svchost.exe 1 6 9->13         started        17 Umbral.exe 14 3 9->17         started        19 ANDYzz-protected.exe 14 2 9->19         started        signatures6 process7 dnsIp8 49 0.tcp.eu.ngrok.io 18.158.249.75, 19177, 49737, 49740 AMAZON-02US United States 13->49 51 3.124.142.205, 19177, 49759, 49760 AMAZON-02US United States 13->51 57 2 other IPs or domains 13->57 69 Antivirus detection for dropped file 13->69 71 System process connects to network (likely due to code injection or exploit) 13->71 73 Multi AV Scanner detection for dropped file 13->73 79 3 other signatures 13->79 21 netsh.exe 13->21         started        23 netsh.exe 13->23         started        25 netsh.exe 13->25         started        53 ip-api.com 208.95.112.1, 49734, 80 TUT-ASUS United States 17->53 75 Machine Learning detection for dropped file 17->75 77 Found many strings related to Crypto-Wallets (likely being stolen) 17->77 27 WMIC.exe 1 17->27         started        55 keyauth.win 104.26.0.5, 443, 49733, 49735 CLOUDFLARENETUS United States 19->55 signatures9 process10 process11 29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        35 conhost.exe 27->35         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS false
3.125.223.134
 unknown United States
16509 AMAZON-02US true
3.125.209.94
 unknown United States
16509 AMAZON-02US true
104.26.0.5
 keyauth.win United States
13335 CLOUDFLARENETUS false
3.124.142.205
 unknown United States
16509 AMAZON-02US true
18.158.249.75
 0.tcp.eu.ngrok.io United States
16509 AMAZON-02US true

Contacted Domains

Name IP Active
keyauth.win 104.26.0.5 true
ip-api.com 208.95.112.1 true
0.tcp.eu.ngrok.io 18.158.249.75 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://discord.com/api/webhooks/1225910337656590376/EwVP3wlMQgDXxoBxwLhaflFWF2WGja-17Tz3uwtoNirVyl9iU_nVCUsOrUJN46JTk-_- true unknown
https://keyauth.win/api/1.0/ false unknown
http://ip-api.com/line/?fields=hosting false
    		high