Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1430552
MD5: b9882fe8bb7ab2a4d094f9ff5442df1c
SHA1: e17c146530a4371e0595c195c24863935a3dee8b
SHA256: 4f47d84b03f5cfa3845d1b36df5e40df984756fc6ba2d98586eb39dced212628
Tags: exex64
Infos:

Detection

Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected Glupteba
Yara detected Mars stealer
Yara detected PureLog Stealer
Yara detected Stealc
Yara detected Vidar stealer
Yara detected zgRAT
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Creates HTML files with .exe extension (expired dropper behavior)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the document folder of the user
Drops script or batch files to the startup folder
Exclude list of file types from scheduled, custom, and real-time scanning
Found Tor onion address
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Modifies Group Policy settings
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Creates job files (autostart)
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries keyboard layouts
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Windows Defender Exclusions Added - Registry
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Glupteba Glupteba is a trojan horse malware that is one of the top ten malware variants of 2021. After infecting a system, the Glupteba malware can be used to deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar
Name Description Attribution Blogpost URLs Link
zgRAT zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\6uk7M8l1XN7kn2GGjKmOMQUi.exe Avira: detection malicious, Label: HEUR/AGEN.1313019
Source: C:\Users\user\AppData\Local\9JPBg0fN0RIfaIShEtttlmtW.exe Avira: detection malicious, Label: HEUR/AGEN.1313019
Source: C:\Users\user\AppData\Local\0yHxI2NgcVq897URfu1bGLCU.exe Avira: detection malicious, Label: HEUR/AGEN.1313019
Source: C:\Users\user\AppData\Local\10ff9npsu4lZrEUNQDLknd3T.exe Avira: detection malicious, Label: HEUR/AGEN.1313019
Source: C:\Users\user\AppData\Local\0WEfXyMPJw5gbxAkYoQ7foIu.exe Avira: detection malicious, Label: HEUR/AGEN.1313019
Found malware configuration
Source: 0000001F.00000003.1544893473.00000000041E0000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Vidar {"C2 url": "http://185.172.128.76/3cd2b41cbde8fc9c.php"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\4H9gwSn9hsmr1uT7Ln1OMxxi.exe ReversingLabs: Detection: 16%
Source: C:\Users\user\AppData\Local\4atMces8tYoo96OnbLT8HE6O.exe ReversingLabs: Detection: 16%
Source: C:\Users\user\AppData\Local\8FauF1Ec16N4pbn45vApMB9Y.exe ReversingLabs: Detection: 16%
Source: C:\Users\user\AppData\Local\F9a5CAWDzjn4KX6pZMk93eNG.exe ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\H9xPrDydeyqRWbh69y5tSjbf.exe ReversingLabs: Detection: 16%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\Default12_my[1].exe ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\Space_my[1].exe ReversingLabs: Detection: 24%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\123p[1].exe ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\Retailer_prog[1].exe ReversingLabs: Detection: 29%
Source: C:\Users\user\AppData\Local\NdBfL9GQKAuQALK03ZlcLnBv.exe ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\OFQ7ZJkbPO93pwjUuJw87q34.exe ReversingLabs: Detection: 16%
Source: C:\Users\user\AppData\Local\Pb9nMKWmPyxCQFZJxeJuCUeo.exe ReversingLabs: Detection: 16%
Source: C:\Users\user\AppData\Local\ShiCqBALVwHXuLXc8u9Hf2su.exe ReversingLabs: Detection: 16%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 57%
Yara detected Glupteba
Source: Yara match File source: 36.1.0FR80IiNvxJZyXnpOgiDlYNV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.1.PA8JWMmRYiQsN7iqTjOvjsbW.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.1.zUOgRazdYnb35XHU4UIsV9Yc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 43.1.OYqxk9G3x4R05N4I0KLZXbXg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.1.68bEfZA6FBu6lC5BaADYSIdx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000001.2063500056.0000000000843000.00000040.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000001.1883456337.0000000000843000.00000040.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000001.1945506899.0000000000843000.00000040.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000001.1972234564.0000000000843000.00000040.00000001.01000000.00000022.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000001.2017532049.0000000000843000.00000040.00000001.01000000.0000001D.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PA8JWMmRYiQsN7iqTjOvjsbW.exe PID: 8176, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: zUOgRazdYnb35XHU4UIsV9Yc.exe PID: 7204, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 0FR80IiNvxJZyXnpOgiDlYNV.exe PID: 4252, type: MEMORYSTR
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\6uk7M8l1XN7kn2GGjKmOMQUi.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\9JPBg0fN0RIfaIShEtttlmtW.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\0yHxI2NgcVq897URfu1bGLCU.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\10ff9npsu4lZrEUNQDLknd3T.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\8Hs13Qx2L9GIxFG02dQv6hVO.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\BCSbmKJiX30BH99M4SeS6WhT.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\0WEfXyMPJw5gbxAkYoQ7foIu.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: INSERT_KEY_HERE
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GetProcAddress
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: LoadLibraryA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: lstrcatA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: OpenEventA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: CreateEventA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: CloseHandle
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: Sleep
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GetUserDefaultLangID
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: VirtualAllocExNuma
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: VirtualFree
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GetSystemInfo
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: VirtualAlloc
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: HeapAlloc
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GetComputerNameA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: lstrcpyA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GetProcessHeap
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GetCurrentProcess
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: lstrlenA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: ExitProcess
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GlobalMemoryStatusEx
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GetSystemTime
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: SystemTimeToFileTime
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: advapi32.dll
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: gdi32.dll
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: user32.dll
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: crypt32.dll
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: ntdll.dll
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GetUserNameA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: CreateDCA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GetDeviceCaps
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: ReleaseDC
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: CryptStringToBinaryA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: sscanf
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: VMwareVMware
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: HAL9TH
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: JohnDoe
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: DISPLAY
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: %hu/%hu/%hu
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: http://185.172.128.76
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: /3cd2b41cbde8fc9c.php
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: /15f649199f40275b/
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: default10
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GetEnvironmentVariableA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GetFileAttributesA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GlobalLock
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: HeapFree
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GetFileSize
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GlobalSize
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: CreateToolhelp32Snapshot
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: IsWow64Process
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: Process32Next
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GetLocalTime
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: FreeLibrary
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GetTimeZoneInformation
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GetSystemPowerStatus
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GetVolumeInformationA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GetWindowsDirectoryA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: Process32First
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GetLocaleInfoA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GetUserDefaultLocaleName
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GetModuleFileNameA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: DeleteFileA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: FindNextFileA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: LocalFree
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: FindClose
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: SetEnvironmentVariableA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: LocalAlloc
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GetFileSizeEx
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: ReadFile
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: SetFilePointer
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: WriteFile
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: CreateFileA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: FindFirstFileA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: CopyFileA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: VirtualProtect
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GetLogicalProcessorInformationEx
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GetLastError
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: lstrcpynA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: MultiByteToWideChar
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GlobalFree
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: WideCharToMultiByte
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GlobalAlloc
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: OpenProcess
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: TerminateProcess
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GetCurrentProcessId
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: gdiplus.dll
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: ole32.dll
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: bcrypt.dll
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: wininet.dll
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: shlwapi.dll
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: shell32.dll
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: psapi.dll
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: rstrtmgr.dll
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: CreateCompatibleBitmap
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: SelectObject
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: BitBlt
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: DeleteObject
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: CreateCompatibleDC
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GdipGetImageEncodersSize
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GdipGetImageEncoders
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GdipCreateBitmapFromHBITMAP
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GdiplusStartup
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GdiplusShutdown
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GdipSaveImageToStream
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GdipDisposeImage
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GdipFree
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GetHGlobalFromStream
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: CreateStreamOnHGlobal
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: CoUninitialize
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: CoInitialize
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: CoCreateInstance
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: BCryptGenerateSymmetricKey
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: BCryptCloseAlgorithmProvider
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: BCryptDecrypt
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: BCryptSetProperty
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: BCryptDestroyKey
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: BCryptOpenAlgorithmProvider
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GetWindowRect
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GetDesktopWindow
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GetDC
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: CloseWindow
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: wsprintfA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: EnumDisplayDevicesA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GetKeyboardLayoutList
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: CharToOemW
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: wsprintfW
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: RegQueryValueExA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: RegEnumKeyExA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: RegOpenKeyExA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: RegCloseKey
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: RegEnumValueA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: CryptBinaryToStringA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: CryptUnprotectData
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: SHGetFolderPathA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: ShellExecuteExA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: InternetOpenUrlA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: InternetConnectA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: InternetCloseHandle
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: InternetOpenA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: HttpSendRequestA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: HttpOpenRequestA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: InternetReadFile
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: InternetCrackUrlA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: StrCmpCA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: StrStrA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: StrCmpCW
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: PathMatchSpecA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: GetModuleFileNameExA
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: RmStartSession
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: RmRegisterResources
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: RmGetList
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: RmEndSession
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: sqlite3_open
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: sqlite3_prepare_v2
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: sqlite3_step
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: sqlite3_column_text
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: sqlite3_finalize
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: sqlite3_close
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: sqlite3_column_bytes
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: sqlite3_column_blob
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: encrypted_key
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: PATH
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: C:\ProgramData\nss3.dll
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: NSS_Init
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: NSS_Shutdown
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: PK11_GetInternalKeySlot
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: PK11_FreeSlot
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: PK11_Authenticate
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: PK11SDR_Decrypt
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: C:\ProgramData\
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: browser:
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: profile:
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: url:
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: login:
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: password:
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: Opera
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: OperaGX
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: Network
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: cookies
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: .txt
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: TRUE
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: FALSE
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: autofill
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: SELECT name, value FROM autofill
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: history
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: SELECT url FROM urls LIMIT 1000
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: name:
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: month:
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: year:
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: card:
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: Cookies
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: Login Data
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: Web Data
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: History
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: logins.json
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: formSubmitURL
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: usernameField
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: encryptedUsername
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: encryptedPassword
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: guid
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: cookies.sqlite
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: formhistory.sqlite
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: places.sqlite
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: plugins
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: Local Extension Settings
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: Sync Extension Settings
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: IndexedDB
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: Opera Stable
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: Opera GX Stable
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: CURRENT
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: chrome-extension_
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: _0.indexeddb.leveldb
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: Local State
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: profiles.ini
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: chrome
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: opera
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: firefox
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: wallets
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: %08lX%04lX%lu
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: ProductName
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: %d/%d/%d %d:%d:%d
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: ProcessorNameString
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: DisplayName
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: DisplayVersion
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: Network Info:
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: - IP: IP?
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: - Country: ISO?
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: System Summary:
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: - HWID:
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: - OS:
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: - Architecture:
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: - UserName:
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: - Computer Name:
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: - Local Time:
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: - UTC:
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: - Language:
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: - Keyboards:
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: - Laptop:
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: - Running Path:
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: - CPU:
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: - Threads:
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: - Cores:
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: - RAM:
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: - Display Resolution:
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: - GPU:
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: User Agents:
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: Installed Apps:
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: All Users:
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: Current User:
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: Process List:
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: system_info.txt
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: freebl3.dll
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: mozglue.dll
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: msvcp140.dll
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: nss3.dll
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: softokn3.dll
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: vcruntime140.dll
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: \Temp\
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: .exe
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: runas
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: open
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: /c start
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: %DESKTOP%
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: %APPDATA%
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: %LOCALAPPDATA%
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: %USERPROFILE%
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: %DOCUMENTS%
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: %PROGRAMFILES%
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: %PROGRAMFILES_86%
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: %RECENT%
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: *.lnk
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: files
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: \discord\
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: \Local Storage\leveldb\CURRENT
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: \Local Storage\leveldb
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: \Telegram Desktop\
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: key_datas
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: D877F783D5D3EF8C*
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: map*
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: A7FDF864FBC10B77*
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: A92DAA6EA6F891F2*
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: F8806DD0C461824F*
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: Telegram
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: *.tox
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: *.ini
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: Password
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: 00000001
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: 00000002
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: 00000003
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: 00000004
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: \Outlook\accounts.txt
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: Pidgin
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: \.purple\
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: accounts.xml
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: dQw4w9WgXcQ
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: token:
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: Software\Valve\Steam
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: SteamPath
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: \config\
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: ssfn*
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: config.vdf
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: DialogConfig.vdf
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: DialogConfigOverlay*.vdf
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: libraryfolders.vdf
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: loginusers.vdf
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: \Steam\
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: sqlite3.dll
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: browsers
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: done
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: soft
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: \Discord\tokens.txt
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: /c timeout /t 5 & del /f /q "
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: C:\Windows\system32\cmd.exe
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: https
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: POST
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: HTTP/1.1
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: Content-Disposition: form-data; name="
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: hwid
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: build
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: token
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: file_name
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: file
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: message
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 10.3.u5v8.0.exe.4200000.0.raw.unpack String decryptor: screenshot.jpg

Bitcoin Miner
barindex
Yara detected Glupteba
Source: Yara match File source: 36.1.0FR80IiNvxJZyXnpOgiDlYNV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.1.PA8JWMmRYiQsN7iqTjOvjsbW.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.1.zUOgRazdYnb35XHU4UIsV9Yc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 43.1.OYqxk9G3x4R05N4I0KLZXbXg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.1.68bEfZA6FBu6lC5BaADYSIdx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000001.2063500056.0000000000843000.00000040.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000001.1883456337.0000000000843000.00000040.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000001.1945506899.0000000000843000.00000040.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000001.1972234564.0000000000843000.00000040.00000001.01000000.00000022.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000001.2017532049.0000000000843000.00000040.00000001.01000000.0000001D.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PA8JWMmRYiQsN7iqTjOvjsbW.exe PID: 8176, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: zUOgRazdYnb35XHU4UIsV9Yc.exe PID: 7204, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 0FR80IiNvxJZyXnpOgiDlYNV.exe PID: 4252, type: MEMORYSTR

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Unpacked PE file: 4.2.VtmtVe55Jwcf3rOGIU1yezyh.exe.400000.0.unpack
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Unpacked PE file: 11.2.yPlMO3UKyKRvoEYPhbGYOyT0.exe.400000.0.unpack
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Unpacked PE file: 19.2.B46afLBMY0mokUgVdA9CQR52.exe.400000.0.unpack
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Unpacked PE file: 21.2.t7IXQJi6R3tWUMJ8f9cQzMWm.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exe Unpacked PE file: 27.2.H6XhhPCeuwAb2QQK3C3B1Lwl.exe.400000.0.unpack
Source: C:\Users\user\Pictures\l0nXYBHJHVq6UHyy1YDO9fn3.exe Unpacked PE file: 29.2.l0nXYBHJHVq6UHyy1YDO9fn3.exe.400000.0.unpack
Source: C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exe Unpacked PE file: 34.2.6dpl9L7LbyabhVQNXZXXKjGL.exe.400000.0.unpack
Source: C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exe Unpacked PE file: 39.2.ikL90ODaFTS7N6FbOffM2D1B.exe.400000.0.unpack
Source: C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exe Unpacked PE file: 41.2.G3pV8gTsWQBVrGpK4ooPrlxI.exe.400000.0.unpack
Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240423213748763.log
Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240423213755078.log
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: appidpolicyconverter.pdbOGPS source: i7gUU3MlvTwbsK8r3hAjzW0p.exe, 00000009.00000003.1404026079.0000000001F16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: XC:\wowakemalurac\89\zok hutaye.pdb source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1397303539.0000000005ED1000.00000004.00000020.00020000.00000000.sdmp, u5v8.0.exe, 0000000A.00000000.1394962827.0000000000411000.00000002.00000001.01000000.0000000A.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1453130738.0000000005D61000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1543933265.0000000005DC1000.00000004.00000020.00020000.00000000.sdmp, u69w.0.exe, 00000014.00000000.1448216913.0000000000411000.00000002.00000001.01000000.0000000F.sdmp, t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000003.1718472453.0000000005DD1000.00000004.00000020.00020000.00000000.sdmp, l0nXYBHJHVq6UHyy1YDO9fn3.exe, 0000001D.00000003.1742788058.0000000005E61000.00000004.00000020.00020000.00000000.sdmp, u4dc.0.exe, 0000001F.00000000.1530061498.0000000000411000.00000002.00000001.01000000.00000016.sdmp, 6dpl9L7LbyabhVQNXZXXKjGL.exe, 00000022.00000003.1828785198.0000000005DF1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\xuzajoraxiy_20\kolazuto93\rimixosugixe lerofulugo\d.pdb source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444036361.000000000418C000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1446288176.000000000424E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1450570795.000000000424E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1448867855.000000000424E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1449341280.000000000424E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445115527.0000000004221000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1443603426.000000000417B000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1442893486.00000000041EC000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1448071216.000000000424E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1442893486.00000000041C9000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445115527.0000000004203000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\relay.pdb source: Qg_Appv5.exe, 00000018.00000002.2204224716.0000000006C5B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\x64\Release\XBundlerTlsHelper.pdb source: wr6XLbv7Ijp4TImjm1ouF4U2.exe, 0000001E.00000002.1881705606.000000014026E000.00000040.00000001.01000000.00000015.sdmp
Source: Binary string: hh.pdb source: i7gUU3MlvTwbsK8r3hAjzW0p.exe, 00000009.00000003.1404026079.0000000001F46000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: hh.pdbGCTL source: i7gUU3MlvTwbsK8r3hAjzW0p.exe, 00000009.00000003.1404026079.0000000001F46000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\xopuxokusi 56_texag poxibivo\tajicewudok\gosicuk_84\cifafu.pdb source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1484213650.0000000004B63000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1483831434.00000000041CC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: appidpolicyconverter.pdb source: i7gUU3MlvTwbsK8r3hAjzW0p.exe, 00000009.00000003.1404026079.0000000001F16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: wr6XLbv7Ijp4TImjm1ouF4U2.exe, 0000001E.00000002.1881705606.000000014026E000.00000040.00000001.01000000.00000015.sdmp
Source: Binary string: GC:\kibiyasehahul-fesivodacodela\yeh75\yexesunowop\54_du.pdb source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000000.1346148421.0000000000411000.00000002.00000001.01000000.00000006.sdmp, VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000002.2263801025.0000000004105000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000002.2255349183.0000000004155000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000000.1395492963.0000000000411000.00000002.00000001.01000000.0000000B.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000002.1918787360.00000000041C5000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000000.1442715755.0000000000411000.00000002.00000001.01000000.0000000E.sdmp, t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000002.1930649503.0000000004385000.00000004.00000020.00020000.00000000.sdmp, t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000000.1488476128.0000000000411000.00000002.00000001.01000000.00000010.sdmp, H6XhhPCeuwAb2QQK3C3B1Lwl.exe, 0000001B.00000000.1495901034.0000000000411000.00000002.00000001.01000000.00000012.sdmp, H6XhhPCeuwAb2QQK3C3B1Lwl.exe, 0000001B.00000002.1937881733.00000000040C6000.00000004.00000020.00020000.00000000.sdmp, l0nXYBHJHVq6UHyy1YDO9fn3.exe, 0000001D.00000000.1496485772.0000000000411000.00000002.00000001.01000000.00000013.sdmp, l0nXYBHJHVq6UHyy1YDO9fn3.exe, 0000001D.00000002.1941782899.00000000043D5000.00000004.00000020.00020000.00000000.sdmp, 6dpl9L7LbyabhVQNXZXXKjGL.exe, 00000022.00000002.2121441955.0000000004105000.00000004.00000020.00020000.00000000.sdmp, 6dpl9L7LbyabhVQNXZXXKjGL.exe, 00000022.00000000.1537881887.0000000000411000.00000002.00000001.01000000.00000019.sdmp
Source: Binary string: wntdll.pdbUGP source: Qg_Appv5.exe, 00000018.00000002.2188638150.0000000005240000.00000004.00000800.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2083738036.00000000031E2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: &SC:\sikozumohaf\rali\diso.pdb source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479226031.000000000421E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1485938094.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479873402.00000000041C9000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1463116316.0000000004B21000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1481871080.00000000056BB000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1464141295.000000000423C000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1482681071.000000000528E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1466633552.00000000041AA000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1464787413.0000000004138000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479873402.00000000041AC000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1483796218.0000000006285000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1493616783.00000000057B0000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1483588875.0000000006032000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1481542444.0000000005BBE000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1480366545.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1485918092.00000000064D8000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1493614495.0000000005292000.00000004.00000020.00020000.00000000.sdmp, PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000000.1532064546.0000000000411000.00000002.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000000.1534304535.0000000000411000.00000002.00000001.01000000.00000018.sdmp
Source: Binary string: wntdll.pdb source: Qg_Appv5.exe, 00000018.00000002.2188638150.0000000005240000.00000004.00000800.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2083738036.00000000031E2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: arp.pdbGCTL source: i7gUU3MlvTwbsK8r3hAjzW0p.exe, 00000009.00000003.1404026079.0000000001F39000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: wr6XLbv7Ijp4TImjm1ouF4U2.exe, 0000001E.00000002.1881705606.000000014026E000.00000040.00000001.01000000.00000015.sdmp
Source: Binary string: C:\kibiyasehahul-fesivodacodela\yeh75\yexesunowop\54_du.pdb source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000000.1346148421.0000000000411000.00000002.00000001.01000000.00000006.sdmp, VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000002.2263801025.0000000004105000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000002.2255349183.0000000004155000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000000.1395492963.0000000000411000.00000002.00000001.01000000.0000000B.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000002.1918787360.00000000041C5000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000000.1442715755.0000000000411000.00000002.00000001.01000000.0000000E.sdmp, t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000002.1930649503.0000000004385000.00000004.00000020.00020000.00000000.sdmp, t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000000.1488476128.0000000000411000.00000002.00000001.01000000.00000010.sdmp, H6XhhPCeuwAb2QQK3C3B1Lwl.exe, 0000001B.00000000.1495901034.0000000000411000.00000002.00000001.01000000.00000012.sdmp, H6XhhPCeuwAb2QQK3C3B1Lwl.exe, 0000001B.00000002.1937881733.00000000040C6000.00000004.00000020.00020000.00000000.sdmp, l0nXYBHJHVq6UHyy1YDO9fn3.exe, 0000001D.00000000.1496485772.0000000000411000.00000002.00000001.01000000.00000013.sdmp, l0nXYBHJHVq6UHyy1YDO9fn3.exe, 0000001D.00000002.1941782899.00000000043D5000.00000004.00000020.00020000.00000000.sdmp, 6dpl9L7LbyabhVQNXZXXKjGL.exe, 00000022.00000002.2121441955.0000000004105000.00000004.00000020.00020000.00000000.sdmp, 6dpl9L7LbyabhVQNXZXXKjGL.exe, 00000022.00000000.1537881887.0000000000411000.00000002.00000001.01000000.00000019.sdmp
Source: Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\UniversalInstaller.pdb source: Qg_Appv5.exe, 00000018.00000002.2204224716.00000000070FA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\wowakemalurac\89\zok hutaye.pdb source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1397303539.0000000005ED1000.00000004.00000020.00020000.00000000.sdmp, u5v8.0.exe, 0000000A.00000000.1394962827.0000000000411000.00000002.00000001.01000000.0000000A.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1453130738.0000000005D61000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1543933265.0000000005DC1000.00000004.00000020.00020000.00000000.sdmp, u69w.0.exe, 00000014.00000000.1448216913.0000000000411000.00000002.00000001.01000000.0000000F.sdmp, t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000003.1718472453.0000000005DD1000.00000004.00000020.00020000.00000000.sdmp, l0nXYBHJHVq6UHyy1YDO9fn3.exe, 0000001D.00000003.1742788058.0000000005E61000.00000004.00000020.00020000.00000000.sdmp, u4dc.0.exe, 0000001F.00000000.1530061498.0000000000411000.00000002.00000001.01000000.00000016.sdmp, 6dpl9L7LbyabhVQNXZXXKjGL.exe, 00000022.00000003.1828785198.0000000005DF1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: arp.pdb source: i7gUU3MlvTwbsK8r3hAjzW0p.exe, 00000009.00000003.1404026079.0000000001F39000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\UIxMarketPlugin.pdb source: Qg_Appv5.exe, 00000018.00000002.2204224716.0000000006F69000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\sikozumohaf\rali\diso.pdb source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479226031.000000000421E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1485938094.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479873402.00000000041C9000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1463116316.0000000004B21000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1481871080.00000000056BB000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1464141295.000000000423C000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1482681071.000000000528E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1466633552.00000000041AA000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1464787413.0000000004138000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479873402.00000000041AC000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1483796218.0000000006285000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1493616783.00000000057B0000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1483588875.0000000006032000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1481542444.0000000005BBE000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1480366545.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1485918092.00000000064D8000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1493614495.0000000005292000.00000004.00000020.00020000.00000000.sdmp, PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000000.1532064546.0000000000411000.00000002.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000000.1534304535.0000000000411000.00000002.00000001.01000000.00000018.sdmp

Change of critical system settings
barindex
Adds extensions / path to Windows Defender exclusion list (Registry)
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{AF4B7D10-C04F-40BD-A9F0-1F789BBF0FCA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Exclusions_Extensions
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{AF4B7D10-C04F-40BD-A9F0-1F789BBF0FCA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions exe
Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{3FAACE9B-0B9D-4D37-90B5-C9D5F39DABA7}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Exclusions_Extensions
Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{3FAACE9B-0B9D-4D37-90B5-C9D5F39DABA7}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions exe
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_0041D9E1 FindFirstFileExA, 4_2_0041D9E1
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_0041D9E1 FindFirstFileExA, 11_2_0041D9E1
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_05BCDC48 FindFirstFileExA, 11_2_05BCDC48
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_0041D9E1 FindFirstFileExA, 19_2_0041D9E1
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_05CFDC48 FindFirstFileExA, 19_2_05CFDC48
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_0041D9E1 FindFirstFileExA, 21_2_0041D9E1
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_041DDC48 FindFirstFileExA, 21_2_041DDC48
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe File opened: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe File opened: C:\Users\user\AppData\
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe File opened: C:\Users\user\
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe File opened: C:\Users\user\AppData\Local\
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe File opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe File opened: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.172.128.76/3cd2b41cbde8fc9c.php
Creates HTML files with .exe extension (expired dropper behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: OVzuyLkGPqt0m8hgNA0UwSGi.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: MG5MpTL6PRxqs920w9IrKJko.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: S0j14drhBOZGdsEYt1IovCSw.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: 5u7SB52PiwyXmzPmIXkMxPnZ.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: wgX5ZSzR0AzMXHqanPag1gRj.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: iAPF4MKQOxaJ8L9hAx7lvOHo.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: deCnBzZpp4FSC4HClFNfim7T.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: q4ApAlF0htaDXDwpRuZbSs2D.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: sih6EQ3BvpoPxj5e02CfNWP2.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: kRFsXXLVSoPNsmIBFOClxrFF.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: ZHH3BNVA85IlSTeCpiV3Sgqb.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: yREZhEa2ap6ZrOOJ0dooObNn.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: A7Npgp1C644Vm1weiCOIngpF.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: LnpGonVmQMt0HGAJRWXt8CZk.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: fOd8yCx7heVUBotMVvn44Lkb.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: CTyBq7xXhWynL963jluoRo4q.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: 3byEz2syG9SedsHKOY8fjUva.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: INMby6bIteiPvZFBRf5MhptY.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: tse6OoEOj17quPLpMuzuQXuv.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: HPgOzBdOCsD6vN5fCp1Y0Y3P.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: wsXaFUksxPKBrRgSF8fdC4UJ.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: EuHyDssPP1nHlUuAX6xe7qHq.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: wAM2iVsYnasUH1XcQbAuEKO9.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: N3D3oWQLfg7NjRxQawhp2xIb.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: ymBV9PkPmsW6KLoPxnFlPP0z.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: 8iDMf15n1CQluRX22T9R9HtN.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: DNg5zB00z0ICTiOXsQq9DsCv.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: nCCWNGZR7QSL7YK34Xz98mnq.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: ukkppf7mf9IddXdKqN6kNkCJ.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: 2OefjtQaIUwmUU1DhudbapTO.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: iDLONIGJibQO1rqOKEJT8AYO.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: UCtmeOC2UHPIofYPbbfGVnal.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: FwFq2CwBYW7qN3JbE79MHY4Z.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: tGiGhkaVGjaUagcI8QYmh6fh.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: e1O1AS1wlBZ3lHR2WsdujqoS.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: kkscE0U22us2Ek0MCP4ULYeK.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: O6RtFEDLFiXwylenzKOH7OwY.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: qYfRayRyiLshGUXCOWUSZUEQ.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: SzeKmiZzCnF5yGTNutlHXxk9.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: MDU18mQfPfwBDyDbk7CN3cwx.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: tM9DijOJq3CQOn3hcO2NIvuX.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: 5O2KNFG7blvHjvUDwarAfNHb.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: wW4vGceNlpE9ACIAc69a33Yc.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: jqRWDGKFMtlcJKUGe2uvqxuP.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: 3G30xcq8tfWItduGYVyT9CxK.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: O85XP7ZryV2biCD7WlxJwLlh.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: RnLGWQq0a888ySvUu4yqkuTs.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: IoXU8aP1TtCLwW6SykMr9y3D.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: fUzbEYrAlNz7Rv11K6EiLt1x.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: lylTQvkvcBwpzWzbHg6So2Er.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: UK8ipx6lqPw4aE70mcGL0JtJ.exe.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: R7XM8tWXgAp1wQYVEs65Btkd.exe.3.dr
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: ZJJS5bo63td4EjeR2XP_7oEx.exe.5.dr
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: qsEUVigKfPVLrm9GWTo8ucsA.exe.5.dr
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: 7vjGPpkhw2aAaC2CnZlC02OG.exe.5.dr
Found Tor onion address
Source: PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmp String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Yara detected Generic Downloader
Source: Yara match File source: 0.2.file.exe.27f3a5774e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.27f39cfde18.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\Documents\SimpleAdobe\KPGhFRImEtP9uUl6Tmi54GCR.exe, type: DROPPED
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_00426504 __EH_prolog,WSAStartup,socket,WSACleanup,gethostbyname,htons,connect,send,send,recv,recv,recv,recv,recv,WSACleanup,closesocket, 4_2_00426504
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.113.115.135/ohhelly
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.113.115.135/ohhellyOW
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.113.115.135/ohhellyPJ
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.113.115.135/ohhellyxe
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.203/dl.php
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.203/dl.php0/
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/123p.exe
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/123p.exe3W
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/th/getimage12.php
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/th/getimage12.phpAV
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447491375.0000000002AD0000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002ACE000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002AD0000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445863210.0000000002AD0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/th/getimage12.phpI
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/th/getimage12.phpUV
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.00000000040FA000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.00000000040F9000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/th/retail.php
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.00000000040FA000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.00000000040F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/th/retail.php.
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/th/retail.phphp
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1495494393.0000000004130000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/th/space.php
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507524439.0000000002AE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/th/space.php(
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/th/space.php4W
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/th/space.php8W
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/th/space.php=W
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/th/space.phpA3
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.00000000040FA000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.00000000040F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.66.10/download/th/space.phpj
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006E35000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006E25000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006F65000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006E35000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006E25000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006F65000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000003.1761896384.0000000007243000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2096381069.0000000005073000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000003.1761896384.0000000007243000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2096381069.0000000005073000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000003.1761896384.0000000007243000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2096381069.0000000005073000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: file.exe, 00000000.00000002.1323600743.0000027F39071000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1326287625.0000027F49071000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1323600743.0000027F3A57C000.00000004.00001000.00020000.00000000.sdmp, VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006E35000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006E25000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006F65000.00000004.00000020.00020000.00000000.sdmp, t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000003.1761896384.0000000007243000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2096381069.0000000005073000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.0000000007353000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006E35000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006E25000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006F65000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006E35000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006E25000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006F65000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006E35000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006E25000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006F65000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006E35000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006E25000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006F65000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000003.1761896384.0000000007243000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2096381069.0000000005073000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000003.1761896384.0000000007243000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2096381069.0000000005073000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: file.exe, 00000000.00000002.1323600743.0000027F39071000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1326287625.0000027F49071000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1323600743.0000027F3A57C000.00000004.00001000.00020000.00000000.sdmp, VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006E35000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006E25000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006F65000.00000004.00000020.00020000.00000000.sdmp, t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000003.1761896384.0000000007243000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2096381069.0000000005073000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmp String found in binary or memory: http://devlog.gregarius.net/docs/ua)Links
Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006A49000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006B79000.00000004.00000020.00020000.00000000.sdmp, u69w.1.exe, 00000023.00000000.1537903237.000000000041C000.00000020.00000001.01000000.0000001A.sdmp String found in binary or memory: http://download.iolo.net
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.00000000070FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://gdlp01.c-wss.com/rmds/ic/universalinstaller/common/checkconnection
Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006A49000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006B79000.00000004.00000020.00020000.00000000.sdmp, u69w.1.exe, 00000023.00000000.1537903237.000000000041C000.00000020.00000001.01000000.0000001A.sdmp String found in binary or memory: http://google.com
Source: PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmp String found in binary or memory: http://invalidlog.txtlookup
Source: PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmp String found in binary or memory: http://localhost:3433/https://duniadekho.baridna:
Source: t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000003.1761896384.0000000007243000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2096381069.0000000005073000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006E35000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006E25000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006F65000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0H
Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006E35000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006E25000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006F65000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0I
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0L
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: file.exe, 00000000.00000002.1323600743.0000027F39071000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1326287625.0000027F49071000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1323600743.0000027F3A57C000.00000004.00001000.00020000.00000000.sdmp, VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006E35000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006E25000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006F65000.00000004.00000020.00020000.00000000.sdmp, t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000003.1761896384.0000000007243000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2096381069.0000000005073000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000003.1761896384.0000000007243000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2096381069.0000000005073000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0&
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.0000000007353000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.thawte.com0
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://s2.symcb.com0
Source: file.exe, 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000000.1314917888.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidpP
Source: file.exe, 00000000.00000002.1326287625.0000027F49071000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidpP#
Source: file.exe, 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000000.1314917888.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepP
Source: file.exe, 00000000.00000002.1326287625.0000027F49071000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepP#
Source: PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmp String found in binary or memory: http://search.msn.com/msnbot.htm)msnbot/1.1
Source: PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmp String found in binary or memory: http://search.msn.com/msnbot.htm)net/http:
Source: PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmp String found in binary or memory: http://search.msn.com/msnbot.htm)pkcs7:
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.0000000007353000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.0000000007353000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.0000000007353000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://sf.symcd.com0&
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://sv.symcd.com0&
Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006A49000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006B79000.00000004.00000020.00020000.00000000.sdmp, u69w.1.exe, 00000023.00000000.1537903237.000000000041C000.00000020.00000001.01000000.0000001A.sdmp String found in binary or memory: http://svc.iolo.com/__svc/sbv/DownloadManager.ashx
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://togaterecutirenics.sbs/
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://togaterecutirenics.sbs/0
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://togaterecutirenics.sbs/rt
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://togaterecutirenics.sbs/rtO
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://togaterecutirenics.sbs/rtxe3W
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.0000000007353000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.0000000007353000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.0000000007353000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1464787413.0000000004164000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1480209801.0000000004164000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479436217.0000000004164000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wikkt.com/
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1484968628.0000000004164000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wikkt.com/forum/index.php
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1488155637.0000000004165000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1464787413.0000000004164000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1480209801.0000000004164000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479436217.0000000004164000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1484968628.0000000004164000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wikkt.com/forum/index.php3su
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1488155637.0000000004165000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1464787413.0000000004164000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1480209801.0000000004164000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479436217.0000000004164000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1484968628.0000000004164000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wikkt.com/forum/index.phpEsc
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wikkt.com/m
Source: PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmp String found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/00.62
Source: PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmp String found in binary or memory: http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4
Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006E35000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006E25000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006F65000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmp String found in binary or memory: http://www.google.com/feedfetcher.html)HKLM
Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006A49000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006B79000.00000004.00000020.00020000.00000000.sdmp, u69w.1.exe, 00000023.00000000.1537903237.000000000041C000.00000020.00000001.01000000.0000001A.sdmp String found in binary or memory: http://www.indyproject.org/
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.0000000007353000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.info-zip.org/
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/cps0(
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/rpa00
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0/
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1374404248.00000000023C0000.00000004.00001000.00020000.00000000.sdmp, wr6XLbv7Ijp4TImjm1ouF4U2.exe, 0000001E.00000003.1861206412.00000000004D0000.00000004.00001000.00020000.00000000.sdmp, wr6XLbv7Ijp4TImjm1ouF4U2.exe, 0000001E.00000002.1881705606.0000000140001000.00000040.00000001.01000000.00000015.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: u5v8.0.exe, 0000000A.00000003.1500584438.0000000004307000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000002.1327386065.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.1326287625.0000027F49071000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000000.1314917888.00007FF6388B2000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmp String found in binary or memory: https://blockchain.infoindex
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://c.574859385.xyz/
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1490754254.000000000416F000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1458630982.000000000410B000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://c.574859385.xyz/525403/setup.exe
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507524439.0000000002AE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://c.574859385.xyz/525403/setup.exeE
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1495494393.000000000410B000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.000000000410B000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1466949555.0000000004104000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.000000000410B000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1458630982.000000000410B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://c.574859385.xyz/525403/setup.exec
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://c.574859385.xyz/525403/setup.exess=V
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://c.574859385.xyz/MV
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://carthewasher.net/
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://carthewasher.net/EQ
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1443603426.000000000417B000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1443603426.0000000004148000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://carthewasher.net/ba05c0a0a72880db02f3b2bf7866285a/cad54ba5b01423b1af8ec10ab5719d97.exe
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://carthewasher.net/uQ
Source: u5v8.0.exe, 0000000A.00000003.1500584438.0000000004307000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: u5v8.0.exe, 0000000A.00000003.1500584438.0000000004307000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: u5v8.0.exe, 0000000A.00000003.1500584438.0000000004307000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cheremushki.net/
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cheremushki.net/EQ
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cheremushki.net/R
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cheremushki.net/ba05c0a0a72880db02f3b2bf7866285a/7725eaa6592c80f8124e769b4e8a07f7.exe
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cheremushki.net/ba05c0a0a72880db02f3b2bf7866285a/7725eaa6592c80f8124e769b4e8a07f7.exeWebKit/
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cheremushki.net/j
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cheremushki.net/mV
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2204224716.0000000007353000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/cps0%
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2204224716.0000000007353000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/rpa0
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B1D000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dod.fastbutters.com/style/060.exe
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1454114356.0000000004130000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1485462188.0000000004130000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1458630982.0000000004130000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.0000000004114000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.0000000004114000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1495494393.0000000004130000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dod.fastbutters.com/style/060.exe3
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1454114356.0000000004130000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1485462188.0000000004130000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1458630982.0000000004130000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.0000000004114000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.0000000004114000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1495494393.0000000004130000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dod.fastbutters.com/style/060.exe3/
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dod.fastbutters.com/style/060.exeQV
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dod.fastbutters.com:80/style/060.exe
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dod.fastbutters.com:80/style/060.exeEQ
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447491375.0000000002AD0000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002ACE000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002AD0000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445863210.0000000002AD0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dod.fastbutters.com:80/style/060.exeG
Source: u5v8.0.exe, 0000000A.00000003.1500584438.0000000004307000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: u5v8.0.exe, 0000000A.00000003.1500584438.0000000004307000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: u5v8.0.exe, 0000000A.00000003.1500584438.0000000004307000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1374404248.00000000023C0000.00000004.00001000.00020000.00000000.sdmp, wr6XLbv7Ijp4TImjm1ouF4U2.exe, 0000001E.00000003.1861206412.00000000004D0000.00000004.00001000.00020000.00000000.sdmp, wr6XLbv7Ijp4TImjm1ouF4U2.exe, 0000001E.00000002.1881705606.0000000140001000.00000040.00000001.01000000.00000015.sdmp String found in binary or memory: https://ipinfo.io/namehttps://ipgeolocation.io/status
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://monoblocked.com/
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B20000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.0000000004114000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.0000000004114000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1495494393.0000000004130000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://monoblocked.com/525403/setup.exe
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://monoblocked.com/525403/setup.exeEV
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://monoblocked.com/525403/setup.exehic
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://monoblocked.com/525403/setup.exes
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1454114356.0000000004130000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1485462188.0000000004130000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1458630982.0000000004130000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.0000000004114000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.0000000004114000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1495494393.0000000004130000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://monoblocked.com/525403/setup.exes.#
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://monoblocked.com/525403/setup.exexemQ
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://monoblocked.com/IV
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.00000000040FA000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.00000000040F9000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://monoblocked.com:80/525403/setup.exe
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://monoblocked.com:80/525403/setup.exemQ
Source: file.exe, 00000000.00000002.1323600743.0000027F39071000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1326287625.0000027F49071000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1323600743.0000027F3A57C000.00000004.00001000.00020000.00000000.sdmp, t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000003.1761896384.0000000007243000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2096381069.0000000005073000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006E35000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006E25000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006F65000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0D
Source: u5v8.0.exe, 0000000A.00000003.1948291370.0000000030A93000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: u5v8.0.exe, 0000000A.00000003.1948291370.0000000030A93000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.Qb0WswhkLhoa
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1454114356.0000000004130000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1485462188.0000000004130000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1458630982.0000000004130000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.0000000004114000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.0000000004114000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1495494393.0000000004130000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://togaterecutirenics.sbs/
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B18000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1453908557.00000000006B9000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1453988094.000000000417E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1480209801.0000000004164000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002AFA000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479436217.0000000004164000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1484968628.0000000004164000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1449962557.000000000417F000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://togaterecutirenics.sbs/rt
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1453908557.00000000006B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://togaterecutirenics.sbs/rtB
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://triedchicken.net/
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://triedchicken.net/cad54ba5b01423b1af8ec10ab5719d97.exe
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://triedchicken.net/qQ
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://triedchicken.net:80/cad54ba5b01423b1af8ec10ab5719d97.exe
Source: PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmp String found in binary or memory: https://turnitin.com/robot/crawlerinfo.html)cannot
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1505826011.0000000004165000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vk.com/
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.00000000040FA000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.00000000040F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vk.com/6
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1505826011.0000000004165000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vk.com/Apg
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.00000000040FA000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.00000000040F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vk.com/L
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.00000000040F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vk.com/doc329118071_676158749?hash=wJqTXfnxe0acmwC4vumRgawHgxCuE6EviXjICmkirIT&dl=YVEMDGiurK
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1495494393.0000000004130000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vk.com/doc329118071_676580549?hash=pFVdCz3lOS502jpZ4S1mZuaA9EuN2MatBz9F2cxg7Ac&dl=ej7ecTKnt3
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1495494393.0000000004130000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vk.com/doc5294803_668627934?hash=KOcSmbd2hjdTG4DLhdJgoCSrHOpCJeuTNRte86dnj0k&dl=iwW1iFTFzY3z
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.0000000004114000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vk.com/doc5294803_668776833?hash=0O6PF91bZH66jRdVdr0Yhs0vV73FDPMFrSckqwaaZuH&dl=PH90vp0b08Gc
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.0000000004114000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.0000000004114000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vk.com/doc5294803_668862025?hash=rZAtNKZ8jzd7e9UKuB7jZZstkXZGEcmTXg0oxAzukh8&dl=bnAa6o9El06I
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vk.com/doc5294803_668900186?hash=FpdDjHFtSx5c0WPZoJe3fUQ5LwI9qJk1fUTDbMELBQ8&dl=XG2RO9fdQ1T9
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.0000000004114000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.0000000004114000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vk.com/doc5294803_668907894?hash=eTJ5SXFgNlVQn3fSuayzbK2uQj2QDtrGinGQ1gFeZF8&dl=85Q0IzWrQzIU
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.00000000040F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vk.com:80/doc329118071_676158749?hash=wJqTXfnxe0acmwC4vumRgawHgxCuE6EviXjICmkirIT&dl=YVEMDGi
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.00000000040FA000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.00000000040F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vk.com:80/doc5294803_668776833?hash=0O6PF91bZH66jRdVdr0Yhs0vV73FDPMFrSckqwaaZuH&dl=PH90vp0b0
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1510180212.00000000040FA000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.00000000040F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vk.com:80/doc5294803_668862025?hash=rZAtNKZ8jzd7e9UKuB7jZZstkXZGEcmTXg0oxAzukh8&dl=bnAa6o9El
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507362757.00000000040F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://vk.com:80/doc5294803_668907894?hash=eTJ5SXFgNlVQn3fSuayzbK2uQj2QDtrGinGQ1gFeZF8&dl=85Q0IzWrQ
Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006E35000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006E25000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006F65000.00000004.00000020.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: u5v8.0.exe, 0000000A.00000003.1500584438.0000000004307000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: u5v8.0.exe, 0000000A.00000003.1500584438.0000000004307000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: u5v8.0.exe, 0000000A.00000003.1948291370.0000000030A93000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.8Z86fTxZfkM6
Source: u5v8.0.exe, 0000000A.00000003.1948291370.0000000030A93000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.UnUp0v0CLe9Y
Source: u5v8.0.exe, 0000000A.00000003.1948291370.0000000030A93000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: u5v8.0.exe, 0000000A.00000003.1948291370.0000000030A93000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: u5v8.0.exe, 0000000A.00000003.1948291370.0000000030A93000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: file.exe, 00000000.00000002.1323600743.0000027F3A471000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1323600743.0000027F39A71000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://yip.su/RNWPd.exeChttps://pastebin.com/raw/E0rY26ni5https://iplogger.com/1lyxz
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1434784315.0000000002B49000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1447829386.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B35000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://zanzibarpivo.com/
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002AFB000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1507524439.0000000002AE5000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002AFA000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://zanzibarpivo.com/7725eaa6592c80f8124e769b4e8a07f7.exe
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002B23000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://zanzibarpivo.com/7725eaa6592c80f8124e769b4e8a07f7.exe4ba5b01423b1af8ec10ab5719d97.exe
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://zanzibarpivo.com/7725eaa6592c80f8124e769b4e8a07f7.exeexe
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://zanzibarpivo.com/7725eaa6592c80f8124e769b4e8a07f7.exek
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://zanzibarpivo.com/7725eaa6592c80f8124e769b4e8a07f7.exet
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://zanzibarpivo.com/7725eaa6592c80f8124e769b4e8a07f7.exexe
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002AFB000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444654791.0000000002AFA000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002AF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://zanzibarpivo.com/7725eaa6592c80f8124p
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://zanzibarpivo.com:80/7725eaa6592c80f8124e769b4e8a07f7.exe
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://zanzibarpivo.com:80/7725eaa6592c80f8124e769b4e8a07f7.exe8
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445572018.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1455160255.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444133559.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479500645.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1496087050.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1435218674.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1492726768.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1506874519.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1477033199.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://zanzibarpivo.com:80/7725eaa6592c80f8124e769b4e8a07f7.exeJ

E-Banking Fraud
barindex
Yara detected Glupteba
Source: Yara match File source: 36.1.0FR80IiNvxJZyXnpOgiDlYNV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.1.PA8JWMmRYiQsN7iqTjOvjsbW.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.1.zUOgRazdYnb35XHU4UIsV9Yc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 43.1.OYqxk9G3x4R05N4I0KLZXbXg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.1.68bEfZA6FBu6lC5BaADYSIdx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000001.2063500056.0000000000843000.00000040.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000001.1883456337.0000000000843000.00000040.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000001.1945506899.0000000000843000.00000040.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000001.1972234564.0000000000843000.00000040.00000001.01000000.00000022.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000001.2017532049.0000000000843000.00000040.00000001.01000000.0000001D.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PA8JWMmRYiQsN7iqTjOvjsbW.exe PID: 8176, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: zUOgRazdYnb35XHU4UIsV9Yc.exe PID: 7204, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 0FR80IiNvxJZyXnpOgiDlYNV.exe PID: 4252, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands
barindex
Writes many files with high entropy
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\V4R2L1ofXzAhB4UFI0Rj2LED.exe entropy: 7.99150344378 Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe entropy: 7.99150344378 Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\F9a5CAWDzjn4KX6pZMk93eNG.exe entropy: 7.99614337359 Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\OFQ7ZJkbPO93pwjUuJw87q34.exe entropy: 7.99150344378 Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\QV2CtvThMWBnTkQtNtmINgo7.exe entropy: 7.99150344378 Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\XqzL1fMvCxCCFKp0SSzKRmTk.exe entropy: 7.99150344378 Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\bfxtyeVJT5bBfIUy0v6XVgPU.exe entropy: 7.99150344378 Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\8FauF1Ec16N4pbn45vApMB9Y.exe entropy: 7.99150344378 Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\H9xPrDydeyqRWbh69y5tSjbf.exe entropy: 7.99150344378 Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exe entropy: 7.99150344378 Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe entropy: 7.99614337359 Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\75ML2QNSkdxIefrPkvr0UjCi.exe entropy: 7.99150344378 Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\4atMces8tYoo96OnbLT8HE6O.exe entropy: 7.99150344378 Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\NdBfL9GQKAuQALK03ZlcLnBv.exe entropy: 7.99614337359 Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\f1yTeHrlUuYsPLKRUrl6KMpe.exe entropy: 7.99150344378 Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\fkwQUocr72Hw75SyPBzpetnQ.exe entropy: 7.99614337359 Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\wv3L00mTLTTnOX1S2obszDcX.exe entropy: 7.99150344378 Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\QFdxqcJJKBnNvVH34NTBZO9k.exe entropy: 7.99150344378 Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\4H9gwSn9hsmr1uT7Ln1OMxxi.exe entropy: 7.99150344378 Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\s2d02ZEHUbxI410yPzvUYGTP.exe entropy: 7.99150344378 Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\Pb9nMKWmPyxCQFZJxeJuCUeo.exe entropy: 7.99150344378 Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\pHBfSuis1Xhkv6ZdHJOyObLb.exe entropy: 7.99150344378 Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\ShiCqBALVwHXuLXc8u9Hf2su.exe entropy: 7.99150344378 Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\MLHy8CHCXXPjzOh2OJFrG13g.exe entropy: 7.99150344378 Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\zFZkiprzkq8Ae7mkklwscu5a.exe entropy: 7.99150344378 Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\r0DfbOvsdOtWhxCPYUgwqjYI.exe entropy: 7.99150344378 Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\t5dER7PVcN8YbrHzsawB4xKm.exe entropy: 7.99150344378 Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\7ajn4zo6v0GdgVSDv67pQ6UA.exe entropy: 7.99150344378 Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\060[1].exe entropy: 7.99823692801 Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\Documents\SimpleAdobe\Zsk2cFkeBC4UsceqkHvvw1iU.exe entropy: 7.99823692801 Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\setup[1].exe entropy: 7.99613628014 Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\Documents\SimpleAdobe\0bDSNbGYZjXnI1v06off3DYe.exe entropy: 7.99613628014 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe File created: C:\Users\user\AppData\Local\Temp\ff086fda entropy: 7.99714560633 Jump to dropped file
Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404232137541\opera_package entropy: 7.99999212861 Jump to dropped file
Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\Opera_109.0.5097.59_Autoupdate_x64[2].exe entropy: 7.99999212861 Jump to dropped file
Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404232138021\opera_package entropy: 7.99998944371 Jump to dropped file
Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\Opera_109.0.5097.59_Autoupdate_x64[4].exe entropy: 7.99998944429 Jump to dropped file

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000015.00000002.1918521862.00000000041C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000029.00000002.2099601729.00000000041B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000013.00000002.1917490394.000000000418C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000027.00000002.2175970589.000000000418C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000022.00000002.2122134547.00000000043D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000029.00000002.2100222351.00000000043EC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000B.00000002.2255300318.000000000411C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000004.00000002.2259248364.00000000040CC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000027.00000002.2184889083.0000000004440000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000001D.00000002.1939799886.000000000439C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000022.00000002.2121373428.00000000040CC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001D.00000002.1938329589.0000000004300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000001B.00000002.1937757105.000000000408C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000015.00000002.1930196904.000000000434C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000004.00000002.2279821604.0000000005BD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000001B.00000002.1940278884.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: C:\Users\user\Documents\SimpleAdobe\KPGhFRImEtP9uUl6Tmi54GCR.exe, type: DROPPED Matched rule: Detects zgRAT Author: ditekSHen
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe Code function: 24_2_0040EA54 NtQuerySystemInformation, 24_2_0040EA54
Creates files inside the system directory
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Windows\System32\GroupPolicy\gpt.ini
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Windows\System32\GroupPolicy\Machine
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Windows\System32\GroupPolicy\User
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Windows\System32\GroupPolicy\Machine\Registry.pol
Source: C:\Windows\SysWOW64\schtasks.exe File created: C:\Windows\Tasks\bWycNackLSywaqkmgR.job
Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe File created: C:\Windows\system32\GroupPolicy\Adm
Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches
Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe File created: C:\Windows\SysWOW64\GroupPolicy\gpt.ini
Deletes files inside the Windows folder
Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe File deleted: C:\Windows\SysWOW64\GroupPolicytcUHV
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6385EEA40 0_2_00007FF6385EEA40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6385F0AE0 0_2_00007FF6385F0AE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6385DB020 0_2_00007FF6385DB020
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6385FD210 0_2_00007FF6385FD210
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6385F17B0 0_2_00007FF6385F17B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6385D5950 0_2_00007FF6385D5950
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6385E19D0 0_2_00007FF6385E19D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6385D8AC0 0_2_00007FF6385D8AC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6385DFBA0 0_2_00007FF6385DFBA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6385F2BF0 0_2_00007FF6385F2BF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6385D4CA0 0_2_00007FF6385D4CA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6385F4D50 0_2_00007FF6385F4D50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6385C9FF0 0_2_00007FF6385C9FF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6385F00A0 0_2_00007FF6385F00A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6386EC080 0_2_00007FF6386EC080
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6385E1112 0_2_00007FF6385E1112
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6385E22B0 0_2_00007FF6385E22B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6385EB320 0_2_00007FF6385EB320
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6385F6360 0_2_00007FF6385F6360
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6385F58E0 0_2_00007FF6385F58E0
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_0041B84B 4_2_0041B84B
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_0040BA80 4_2_0040BA80
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_0040C2AC 4_2_0040C2AC
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_004123A0 4_2_004123A0
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_0040F441 4_2_0040F441
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_0040BD2A 4_2_0040BD2A
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_0042153C 4_2_0042153C
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_0040C6A0 4_2_0040C6A0
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_00408761 4_2_00408761
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_0041BF69 4_2_0041BF69
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_0040B70E 4_2_0040B70E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_0040BFF1 4_2_0040BFF1
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_0041B84B 11_2_0041B84B
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_0040BA80 11_2_0040BA80
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_0040C2AC 11_2_0040C2AC
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_004123A0 11_2_004123A0
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_0040F441 11_2_0040F441
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_0040BD2A 11_2_0040BD2A
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_0042153C 11_2_0042153C
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_0040C6A0 11_2_0040C6A0
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_00408761 11_2_00408761
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_0041BF69 11_2_0041BF69
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_0040B70E 11_2_0040B70E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_0040BFF1 11_2_0040BFF1
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_05BBC513 11_2_05BBC513
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_05BBBCE7 11_2_05BBBCE7
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_05BBBF91 11_2_05BBBF91
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_05BBF6A8 11_2_05BBF6A8
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_05BC2607 11_2_05BC2607
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_05BB89C8 11_2_05BB89C8
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_05BBC907 11_2_05BBC907
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_05BBB975 11_2_05BBB975
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_05BCBAB2 11_2_05BCBAB2
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_05BBC258 11_2_05BBC258
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_0041B84B 19_2_0041B84B
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_0040BA80 19_2_0040BA80
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_0040C2AC 19_2_0040C2AC
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_004123A0 19_2_004123A0
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_0040F441 19_2_0040F441
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_0040BD2A 19_2_0040BD2A
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_0042153C 19_2_0042153C
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_0040C6A0 19_2_0040C6A0
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_00408761 19_2_00408761
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_0041BF69 19_2_0041BF69
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_0040B70E 19_2_0040B70E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_0040BFF1 19_2_0040BFF1
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_05CEC513 19_2_05CEC513
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_05CEBCE7 19_2_05CEBCE7
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_05CEBF91 19_2_05CEBF91
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_05CEF6A8 19_2_05CEF6A8
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_05CF2607 19_2_05CF2607
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_05CE89C8 19_2_05CE89C8
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_05CEB975 19_2_05CEB975
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_05CEC907 19_2_05CEC907
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_05CFBAB2 19_2_05CFBAB2
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_05CEC258 19_2_05CEC258
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_0041B84B 21_2_0041B84B
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_0040BA80 21_2_0040BA80
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_0040C2AC 21_2_0040C2AC
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_004123A0 21_2_004123A0
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_0040F441 21_2_0040F441
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_0040BD2A 21_2_0040BD2A
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_0042153C 21_2_0042153C
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_0040C6A0 21_2_0040C6A0
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_00408761 21_2_00408761
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_0041BF69 21_2_0041BF69
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_0040B70E 21_2_0040B70E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_0040BFF1 21_2_0040BFF1
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_041CBCE7 21_2_041CBCE7
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_041CC513 21_2_041CC513
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_041D2607 21_2_041D2607
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_041CF6A8 21_2_041CF6A8
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_041CBF91 21_2_041CBF91
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_041CC907 21_2_041CC907
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_041CB975 21_2_041CB975
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_041C89C8 21_2_041C89C8
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_041CC258 21_2_041CC258
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_041DBAB2 21_2_041DBAB2
Found potential string decryption / allocating functions
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: String function: 004275A4 appears 43 times
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: String function: 00409CC0 appears 48 times
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: String function: 004275A4 appears 43 times
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: String function: 05CE1BE3 appears 40 times
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: String function: 05CE1D46 appears 39 times
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: String function: 00409CC0 appears 48 times
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: String function: 05CE9F27 appears 48 times
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: String function: 05D0780B appears 43 times
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: String function: 05CE36F8 appears 130 times
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: String function: 041C9F27 appears 48 times
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: String function: 004275A4 appears 43 times
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: String function: 041C1D46 appears 39 times
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: String function: 041E780B appears 43 times
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: String function: 00409CC0 appears 48 times
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: String function: 041C1BE3 appears 40 times
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: String function: 041C36F8 appears 130 times
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: String function: 004275A4 appears 43 times
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: String function: 05BB1BE3 appears 40 times
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: String function: 05BB1D46 appears 39 times
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: String function: 05BD780B appears 43 times
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: String function: 05BB9F27 appears 48 times
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: String function: 00409CC0 appears 48 times
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: String function: 05BB36F8 appears 130 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00007FF6385CB330 appears 52 times
PE / OLE file has an invalid certificate
Source: file.exe Static PE information: invalid certificate
PE file contains executable resources (Code or Archives)
Source: V4R2L1ofXzAhB4UFI0Rj2LED.exe.3.dr Static PE information: Resource name: RT_CURSOR type: COM executable for DOS
Source: V4R2L1ofXzAhB4UFI0Rj2LED.exe.3.dr Static PE information: Resource name: RT_STRING type: COM executable for DOS
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe.3.dr Static PE information: Resource name: RT_CURSOR type: COM executable for DOS
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe.3.dr Static PE information: Resource name: RT_STRING type: COM executable for DOS
Source: OFQ7ZJkbPO93pwjUuJw87q34.exe.3.dr Static PE information: Resource name: RT_CURSOR type: COM executable for DOS
Source: OFQ7ZJkbPO93pwjUuJw87q34.exe.3.dr Static PE information: Resource name: RT_STRING type: COM executable for DOS
Source: QV2CtvThMWBnTkQtNtmINgo7.exe.3.dr Static PE information: Resource name: RT_CURSOR type: COM executable for DOS
Source: QV2CtvThMWBnTkQtNtmINgo7.exe.3.dr Static PE information: Resource name: RT_STRING type: COM executable for DOS
Source: ra8RK0HZwqsQsFKuKAOljczn.exe.3.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: 01ySZukOlUcP5NF6FSceJyuX.exe.3.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: XqzL1fMvCxCCFKp0SSzKRmTk.exe.3.dr Static PE information: Resource name: RT_CURSOR type: COM executable for DOS
Source: XqzL1fMvCxCCFKp0SSzKRmTk.exe.3.dr Static PE information: Resource name: RT_STRING type: COM executable for DOS
Source: bfxtyeVJT5bBfIUy0v6XVgPU.exe.3.dr Static PE information: Resource name: RT_CURSOR type: COM executable for DOS
Source: bfxtyeVJT5bBfIUy0v6XVgPU.exe.3.dr Static PE information: Resource name: RT_STRING type: COM executable for DOS
Source: nMCfbx6hx0DUWGYJuDAMUAIJ.exe.3.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: ugGFIzLnD3Xk89zL7XSYeDGh.exe.3.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: 3CfyWUQfEPMLfwgMw9RKzj9q.exe.3.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: 0Flev5sTDyJ3duKpLfv5ka2Z.exe.3.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: Fh7qhqxo9lqcq8fZJGpCZFiC.exe.3.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: 0DWhHyQpdxsJp4gA1M0WjqnA.exe.3.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: CzCAVDbVcAMwrBna8hMGEVEa.exe.3.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: IiFh1rXOMpGB7BnxmUig3wkQ.exe.3.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: jZXBdg5rull5j6LgJCWVgVos.exe.3.dr Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: 8FauF1Ec16N4pbn45vApMB9Y.exe.3.dr Static PE information: Resource name: RT_CURSOR type: COM executable for DOS
Source: 8FauF1Ec16N4pbn45vApMB9Y.exe.3.dr Static PE information: Resource name: RT_STRING type: COM executable for DOS
Sample file is different than original file name gathered from version info
Source: file.exe Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000002.1323600743.0000027F3A471000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNew.exe" vs file.exe
Source: file.exe, 00000000.00000002.1326287625.0000027F49071000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameayuUIPawoT8 vs file.exe
Source: file.exe, 00000000.00000002.1327865826.00007FF6388E4000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameayuUIPawoT8 vs file.exe
Source: file.exe, 00000000.00000002.1323600743.0000027F39A71000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNew.exe" vs file.exe
Yara signature match
Source: 00000015.00000002.1918521862.00000000041C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000029.00000002.2099601729.00000000041B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000013.00000002.1917490394.000000000418C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000027.00000002.2175970589.000000000418C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000022.00000002.2122134547.00000000043D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000029.00000002.2100222351.00000000043EC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000B.00000002.2255300318.000000000411C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000004.00000002.2259248364.00000000040CC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000027.00000002.2184889083.0000000004440000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000001D.00000002.1939799886.000000000439C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000022.00000002.2121373428.00000000040CC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001D.00000002.1938329589.0000000004300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000001B.00000002.1937757105.000000000408C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000015.00000002.1930196904.000000000434C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000B.00000002.2255723708.0000000005BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000013.00000002.1926817341.0000000005CE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000004.00000002.2279821604.0000000005BD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000001B.00000002.1940278884.00000000043C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: C:\Users\user\Documents\SimpleAdobe\KPGhFRImEtP9uUl6Tmi54GCR.exe, type: DROPPED Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: classification engine Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@208/425@0/45
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6385D4AD0 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma, 0_2_00007FF6385D4AD0
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_040CCCD6 CreateToolhelp32Snapshot,Module32First, 4_2_040CCCD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3124:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe Mutant created: \BaseNamedObjects\Global\1_H69925949
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\BCClipboard {538F9E0A-E997-4AD2-8CB0-C8E991C010EF}
Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe Mutant created: \Sessions\1\BaseNamedObjects\JarakHalgWW_11
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Mutant created: \Sessions\1\BaseNamedObjects\JarakHalgWW_12
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7300:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7532:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5204:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe Mutant created: \Sessions\1\BaseNamedObjects\BCClipboard {538F9E0A-E997-4AD2-8CB0-C8E991C010EF}
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe File created: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Jump to behavior
Source: Yara match File source: 35.0.u69w.1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000029.00000003.2080394798.0000000006A3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1847945255.0000000006A38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000003.2086147863.0000000006A37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.1537903237.0000000000401000.00000020.00000001.01000000.0000001A.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.2095182963.0000000006A3F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.1624901520.0000000006A2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.1635257524.0000000006A1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.1674965384.0000000006B5E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\u624.1.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\u69w.1.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\u33c.1.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\u4dc.1.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\u1hw.1.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\u4hg.1.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\u46g.1.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\u2r8.1.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\u5v8.1.exe, type: DROPPED
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ECVVQonpjDvaVVq8u9A57jpg.bat" "
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: one 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: one 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: two 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: two 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: three 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: three 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: four 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: four 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: five 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: five 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: six 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: six 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: seven 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: seven 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: eight 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: eight 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: nine 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: nine 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: ten 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: ten 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: one 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: two 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: three 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: four 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: five 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: six 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: seven 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: eight 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: nine 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: ten 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: 185.172.128.90 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: 185.172.128.90 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: 185.172.128.90 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: Installed 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: Installed 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: 185.172.128.228 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: 185.172.128.228 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: 185.172.128.228 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: 185.172.128.59 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: 185.172.128.59 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: /syncUpd.exe 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: /syncUpd.exe 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: 185.172.128.59 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: /syncUpd.exe 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: /1/Qg_Appv5.exe 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: /1/Qg_Appv5.exe 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: /1/Qg_Appv5.exe 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: Qg_Appv5.exe 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: Qg_Appv5.exe 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: 185.172.128.228 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: 185.172.128.228 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: /BroomSetup.exe 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: /BroomSetup.exe 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: 185.172.128.228 4_2_00424B3E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Command line argument: /BroomSetup.exe 4_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: one 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: one 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: two 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: two 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: three 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: three 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: four 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: four 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: five 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: five 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: six 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: six 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: seven 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: seven 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: eight 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: eight 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: nine 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: nine 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: ten 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: ten 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: one 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: two 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: three 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: four 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: five 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: six 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: seven 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: eight 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: nine 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: ten 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: 185.172.128.90 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: 185.172.128.90 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: 185.172.128.90 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: Installed 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: Installed 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: 185.172.128.228 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: 185.172.128.228 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: 185.172.128.228 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: 185.172.128.59 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: 185.172.128.59 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: /syncUpd.exe 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: /syncUpd.exe 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: 185.172.128.59 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: /syncUpd.exe 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: /1/Qg_Appv5.exe 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: /1/Qg_Appv5.exe 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: /1/Qg_Appv5.exe 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: Qg_Appv5.exe 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: Qg_Appv5.exe 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: 185.172.128.228 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: 185.172.128.228 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: /BroomSetup.exe 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: /BroomSetup.exe 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: 185.172.128.228 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: /BroomSetup.exe 11_2_00424B3E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: @ 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: one 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: one 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: two 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: two 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: five 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: five 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: seven 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: seven 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: eight 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: eight 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: nine 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: nine 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: ten 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: ten 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: 185.172.128.90 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: 185.172.128.90 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: 185.172.128.90 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: Installed 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: Installed 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: 185.172.128.228 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: 185.172.128.228 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: 185.172.128.228 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: 185.172.128.59 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: 185.172.128.59 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: /syncUpd.exe 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: /syncUpd.exe 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: 185.172.128.59 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: /syncUpd.exe 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: /1/Qg_Appv5.exe 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: /1/Qg_Appv5.exe 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: /1/Qg_Appv5.exe 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: Qg_Appv5.exe 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: Qg_Appv5.exe 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: 185.172.128.228 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: 185.172.128.228 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: /BroomSetup.exe 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: /BroomSetup.exe 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: 185.172.128.228 11_2_05BD4DA5
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Command line argument: /BroomSetup.exe 11_2_05BD4DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: one 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: one 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: two 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: two 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: three 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: three 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: four 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: four 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: five 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: five 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: six 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: six 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: seven 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: seven 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: eight 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: eight 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: nine 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: nine 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: ten 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: ten 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: one 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: two 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: three 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: four 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: five 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: six 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: seven 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: eight 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: nine 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: ten 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: 185.172.128.90 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: 185.172.128.90 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: 185.172.128.90 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: Installed 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: Installed 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: 185.172.128.228 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: 185.172.128.228 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: 185.172.128.228 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: 185.172.128.59 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: 185.172.128.59 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: /syncUpd.exe 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: /syncUpd.exe 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: 185.172.128.59 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: /syncUpd.exe 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: /1/Qg_Appv5.exe 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: /1/Qg_Appv5.exe 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: /1/Qg_Appv5.exe 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: Qg_Appv5.exe 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: Qg_Appv5.exe 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: 185.172.128.228 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: 185.172.128.228 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: /BroomSetup.exe 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: /BroomSetup.exe 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: 185.172.128.228 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: /BroomSetup.exe 19_2_00424B3E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: @ 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: one 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: one 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: two 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: two 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: five 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: five 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: seven 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: seven 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: eight 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: eight 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: nine 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: nine 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: ten 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: ten 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: 185.172.128.90 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: 185.172.128.90 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: 185.172.128.90 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: Installed 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: Installed 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: 185.172.128.228 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: 185.172.128.228 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: 185.172.128.228 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: 185.172.128.59 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: 185.172.128.59 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: /syncUpd.exe 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: /syncUpd.exe 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: 185.172.128.59 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: /syncUpd.exe 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: /1/Qg_Appv5.exe 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: /1/Qg_Appv5.exe 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: /1/Qg_Appv5.exe 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: Qg_Appv5.exe 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: Qg_Appv5.exe 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: 185.172.128.228 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: 185.172.128.228 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: /BroomSetup.exe 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: /BroomSetup.exe 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: 185.172.128.228 19_2_05D04DA5
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Command line argument: /BroomSetup.exe 19_2_05D04DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: one 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: one 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: two 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: two 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: three 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: three 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: four 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: four 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: five 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: five 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: six 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: six 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: seven 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: seven 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: eight 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: eight 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: nine 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: nine 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: ten 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: ten 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: one 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: two 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: three 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: four 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: five 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: six 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: seven 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: eight 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: nine 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: ten 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: 185.172.128.90 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: 185.172.128.90 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: 185.172.128.90 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: Installed 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: Installed 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: 185.172.128.228 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: 185.172.128.228 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: 185.172.128.228 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: 185.172.128.59 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: 185.172.128.59 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: /syncUpd.exe 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: /syncUpd.exe 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: 185.172.128.59 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: /syncUpd.exe 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: /1/Qg_Appv5.exe 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: /1/Qg_Appv5.exe 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: /1/Qg_Appv5.exe 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: Qg_Appv5.exe 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: Qg_Appv5.exe 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: 185.172.128.228 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: 185.172.128.228 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: /BroomSetup.exe 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: /BroomSetup.exe 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: 185.172.128.228 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: /BroomSetup.exe 21_2_00424B3E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: @ 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: one 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: one 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: two 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: two 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: five 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: five 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: seven 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: seven 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: eight 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: eight 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: nine 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: nine 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: ten 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: ten 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: 185.172.128.90 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: 185.172.128.90 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: 185.172.128.90 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: Installed 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: Installed 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: 185.172.128.228 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: 185.172.128.228 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: 185.172.128.228 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: 185.172.128.59 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: 185.172.128.59 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: /syncUpd.exe 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: /syncUpd.exe 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: 185.172.128.59 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: /syncUpd.exe 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: /1/Qg_Appv5.exe 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: /1/Qg_Appv5.exe 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: /1/Qg_Appv5.exe 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: Qg_Appv5.exe 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: Qg_Appv5.exe 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: 185.172.128.228 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: 185.172.128.228 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: /BroomSetup.exe 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: /BroomSetup.exe 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: 185.172.128.228 21_2_041E4DA5
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Command line argument: /BroomSetup.exe 21_2_041E4DA5
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\u69w.1.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\u69w.1.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: file.exe Static file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1374404248.00000000023C0000.00000004.00001000.00020000.00000000.sdmp, wr6XLbv7Ijp4TImjm1ouF4U2.exe, 0000001E.00000002.1881705606.0000000140001000.00000040.00000001.01000000.00000015.sdmp Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1374404248.00000000023C0000.00000004.00001000.00020000.00000000.sdmp, wr6XLbv7Ijp4TImjm1ouF4U2.exe, 0000001E.00000002.1881705606.0000000140001000.00000040.00000001.01000000.00000015.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1405006585.0000000002A57000.00000004.00000020.00020000.00000000.sdmp, u5v8.0.exe, 0000000A.00000003.1545346922.000000002471E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe ReversingLabs: Detection: 57%
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe "C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe "C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetSvcs -p -s NcaSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe "C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe"
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Process created: C:\Users\user\AppData\Local\Temp\u5v8.0.exe "C:\Users\user\AppData\Local\Temp\u5v8.0.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe "C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe"
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe Process created: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe .\Install.exe /nxdidQZJ "385118" /S
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Process created: C:\Windows\SysWOW64\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
Source: C:\Windows\SysWOW64\forfiles.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\forfiles.exe Process created: C:\Windows\SysWOW64\cmd.exe /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe "C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe"
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Process created: C:\Users\user\AppData\Local\Temp\u69w.0.exe "C:\Users\user\AppData\Local\Temp\u69w.0.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe "C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe"
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ECVVQonpjDvaVVq8u9A57jpg.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Process created: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe "C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe"
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 21:38:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe\" em /VNsite_idnLd 385118 /S" /V1 /F
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exe "C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exe"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\l0nXYBHJHVq6UHyy1YDO9fn3.exe "C:\Users\user\Pictures\l0nXYBHJHVq6UHyy1YDO9fn3.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\wr6XLbv7Ijp4TImjm1ouF4U2.exe "C:\Users\user\Pictures\wr6XLbv7Ijp4TImjm1ouF4U2.exe"
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Process created: C:\Users\user\AppData\Local\Temp\u4dc.0.exe "C:\Users\user\AppData\Local\Temp\u4dc.0.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\PA8JWMmRYiQsN7iqTjOvjsbW.exe "C:\Users\user\Pictures\PA8JWMmRYiQsN7iqTjOvjsbW.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\zUOgRazdYnb35XHU4UIsV9Yc.exe "C:\Users\user\Pictures\zUOgRazdYnb35XHU4UIsV9Yc.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exe "C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exe"
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Process created: C:\Users\user\AppData\Local\Temp\u69w.1.exe "C:\Users\user\AppData\Local\Temp\u69w.1.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\0FR80IiNvxJZyXnpOgiDlYNV.exe "C:\Users\user\Pictures\0FR80IiNvxJZyXnpOgiDlYNV.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe em /VNsite_idnLd 385118 /S
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\68bEfZA6FBu6lC5BaADYSIdx.exe "C:\Users\user\Pictures\68bEfZA6FBu6lC5BaADYSIdx.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exe "C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exe "C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exe "C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe "C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe" --silent --allusers=0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\OYqxk9G3x4R05N4I0KLZXbXg.exe "C:\Users\user\Pictures\OYqxk9G3x4R05N4I0KLZXbXg.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe "C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe" --silent --allusers=0
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Process created: C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exe C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exe
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Process created: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe "C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe "C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe "C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe "C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\l0nXYBHJHVq6UHyy1YDO9fn3.exe "C:\Users\user\Pictures\l0nXYBHJHVq6UHyy1YDO9fn3.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\wr6XLbv7Ijp4TImjm1ouF4U2.exe "C:\Users\user\Pictures\wr6XLbv7Ijp4TImjm1ouF4U2.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\PA8JWMmRYiQsN7iqTjOvjsbW.exe "C:\Users\user\Pictures\PA8JWMmRYiQsN7iqTjOvjsbW.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\zUOgRazdYnb35XHU4UIsV9Yc.exe "C:\Users\user\Pictures\zUOgRazdYnb35XHU4UIsV9Yc.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exe "C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\0FR80IiNvxJZyXnpOgiDlYNV.exe "C:\Users\user\Pictures\0FR80IiNvxJZyXnpOgiDlYNV.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\68bEfZA6FBu6lC5BaADYSIdx.exe "C:\Users\user\Pictures\68bEfZA6FBu6lC5BaADYSIdx.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exe "C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exe "C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exe "C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe "C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe" --silent --allusers=0 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\OYqxk9G3x4R05N4I0KLZXbXg.exe "C:\Users\user\Pictures\OYqxk9G3x4R05N4I0KLZXbXg.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe "C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe" --silent --allusers=0 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Process created: C:\Users\user\AppData\Local\Temp\u5v8.0.exe "C:\Users\user\AppData\Local\Temp\u5v8.0.exe" Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Process created: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe "C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe" Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Process created: C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exe C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exe
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Process created: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Process created: unknown unknown
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Process created: unknown unknown
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Process created: unknown unknown
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Process created: unknown unknown
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Process created: unknown unknown
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Process created: unknown unknown
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Process created: unknown unknown
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Process created: unknown unknown
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Process created: unknown unknown
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Process created: unknown unknown
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Process created: unknown unknown
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe Process created: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe .\Install.exe /nxdidQZJ "385118" /S
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Process created: C:\Users\user\AppData\Local\Temp\u69w.0.exe "C:\Users\user\AppData\Local\Temp\u69w.0.exe"
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Process created: C:\Users\user\AppData\Local\Temp\u69w.1.exe "C:\Users\user\AppData\Local\Temp\u69w.1.exe"
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Process created: C:\Windows\SysWOW64\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 21:38:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe\" em /VNsite_idnLd 385118 /S" /V1 /F
Source: C:\Windows\SysWOW64\forfiles.exe Process created: C:\Windows\SysWOW64\cmd.exe /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Process created: C:\Users\user\AppData\Local\Temp\u4dc.0.exe "C:\Users\user\AppData\Local\Temp\u4dc.0.exe"
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Process created: unknown unknown
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Process created: unknown unknown
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exe "C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exe"
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exe Process created: unknown unknown
Source: C:\Users\user\Pictures\l0nXYBHJHVq6UHyy1YDO9fn3.exe Process created: unknown unknown
Source: C:\Users\user\Pictures\l0nXYBHJHVq6UHyy1YDO9fn3.exe Process created: unknown unknown
Source: C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exe Process created: unknown unknown
Source: C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe Process created: unknown unknown
Source: C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exe Process created: unknown unknown
Source: C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exe Process created: unknown unknown
Source: C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exe Process created: unknown unknown
Source: C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exe Process created: unknown unknown
Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe Process created: unknown unknown
Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe Process created: unknown unknown
Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe Process created: unknown unknown
Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: apphelp.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: winhttp.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: wininet.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: uxtheme.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: gpedit.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: gpapi.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: activeds.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: dssec.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: dsuiext.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: framedynos.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: dsrole.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: logoncli.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: mpr.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: netutils.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: activeds.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: ntdsapi.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: sspicli.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: authz.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: adsldpc.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: adsldpc.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: webio.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: mswsock.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: winnsi.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: sspicli.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: dnsapi.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: schannel.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: ntasn1.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: ncrypt.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: msasn1.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: cryptsp.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: rsaenh.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: cryptbase.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: gpapi.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: windows.storage.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: wldp.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: amsi.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: userenv.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: profapi.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: iertutil.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: urlmon.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: srvcli.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: netutils.dll
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fhsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wtsapi32.dll
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msidle.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winsta.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fhcfg.dll
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wevtapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: efsutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netapi32.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncasvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: httpprxp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wpdbusenum.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: portabledeviceapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe Section loaded: portabledeviceconnectapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wtsapi32.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winsta.dll
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe Section loaded: apphelp.dll
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe Section loaded: acgenral.dll
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe Section loaded: uxtheme.dll
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe Section loaded: winmm.dll
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe Section loaded: samcli.dll
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe Section loaded: msacm32.dll
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe Section loaded: version.dll
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe Section loaded: userenv.dll
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe Section loaded: dwmapi.dll
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe Section loaded: urlmon.dll
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe Section loaded: mpr.dll
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe Section loaded: sspicli.dll
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe Section loaded: winmmbase.dll
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe Section loaded: winmmbase.dll
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe Section loaded: iertutil.dll
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe Section loaded: srvcli.dll
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe Section loaded: netutils.dll
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe Section loaded: aclayers.dll
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe Section loaded: sfc.dll
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Section loaded: mozglue.dll
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Section loaded: msvcp140.dll
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: apphelp.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: winhttp.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: msimg32.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: msvcr100.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: mswsock.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: napinsp.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: wshbth.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: nlaapi.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: dnsapi.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: winrnr.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: napinsp.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: wshbth.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: nlaapi.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: winrnr.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: napinsp.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: wshbth.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: nlaapi.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: winrnr.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: windows.storage.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: wldp.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: uxtheme.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: propsys.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: profapi.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: edputil.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: urlmon.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: iertutil.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: srvcli.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: netutils.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: sspicli.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: wintypes.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: appresolver.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: slc.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: userenv.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: sppc.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: pcacli.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: mpr.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: sfc_os.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: napinsp.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: wshbth.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: nlaapi.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: winrnr.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: napinsp.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: wshbth.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: nlaapi.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: winrnr.dll
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: drprov.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: ntlanman.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: davclnt.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: davhlpr.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\forfiles.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\forfiles.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: version.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: apphelp.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: winhttp.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: msimg32.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: msvcr100.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: mswsock.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: napinsp.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: wshbth.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: nlaapi.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: dnsapi.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: winrnr.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: napinsp.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: wshbth.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: nlaapi.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: winrnr.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: napinsp.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: wshbth.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: nlaapi.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: winrnr.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: windows.storage.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: wldp.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: uxtheme.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: propsys.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: profapi.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: edputil.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: urlmon.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: iertutil.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: srvcli.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: netutils.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: sspicli.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: wintypes.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: appresolver.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: slc.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: userenv.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: sppc.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: pcacli.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: mpr.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: sfc_os.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: napinsp.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: wshbth.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: nlaapi.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: winrnr.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: napinsp.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: wshbth.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: nlaapi.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: winrnr.dll
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\u69w.0.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\u69w.0.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\u69w.0.exe Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\u69w.0.exe Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\u69w.0.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\u69w.0.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\u69w.0.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\u69w.0.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\u69w.0.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\u69w.0.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\u69w.0.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\u69w.0.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\u69w.0.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\u69w.0.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\u69w.0.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\u69w.0.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\u69w.0.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9ac9fbe1-e0a2-4ad6-b4ee-e212013ea917}\InProcServer32 Jump to behavior
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File written: C:\Windows\System32\GroupPolicy\gpt.ini
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: file.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: file.exe Static file information: File size 3428696 > 1048576
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: file.exe Static PE information: Raw size of .managed is bigger than: 0x100000 < 0x14be00
Source: file.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x12fc00
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: appidpolicyconverter.pdbOGPS source: i7gUU3MlvTwbsK8r3hAjzW0p.exe, 00000009.00000003.1404026079.0000000001F16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: XC:\wowakemalurac\89\zok hutaye.pdb source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1397303539.0000000005ED1000.00000004.00000020.00020000.00000000.sdmp, u5v8.0.exe, 0000000A.00000000.1394962827.0000000000411000.00000002.00000001.01000000.0000000A.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1453130738.0000000005D61000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1543933265.0000000005DC1000.00000004.00000020.00020000.00000000.sdmp, u69w.0.exe, 00000014.00000000.1448216913.0000000000411000.00000002.00000001.01000000.0000000F.sdmp, t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000003.1718472453.0000000005DD1000.00000004.00000020.00020000.00000000.sdmp, l0nXYBHJHVq6UHyy1YDO9fn3.exe, 0000001D.00000003.1742788058.0000000005E61000.00000004.00000020.00020000.00000000.sdmp, u4dc.0.exe, 0000001F.00000000.1530061498.0000000000411000.00000002.00000001.01000000.00000016.sdmp, 6dpl9L7LbyabhVQNXZXXKjGL.exe, 00000022.00000003.1828785198.0000000005DF1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\xuzajoraxiy_20\kolazuto93\rimixosugixe lerofulugo\d.pdb source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1444036361.000000000418C000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1446288176.000000000424E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1450570795.000000000424E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1448867855.000000000424E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1449341280.000000000424E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445115527.0000000004221000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1443603426.000000000417B000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1442893486.00000000041EC000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1448071216.000000000424E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1442893486.00000000041C9000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1445115527.0000000004203000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\relay.pdb source: Qg_Appv5.exe, 00000018.00000002.2204224716.0000000006C5B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\x64\Release\XBundlerTlsHelper.pdb source: wr6XLbv7Ijp4TImjm1ouF4U2.exe, 0000001E.00000002.1881705606.000000014026E000.00000040.00000001.01000000.00000015.sdmp
Source: Binary string: hh.pdb source: i7gUU3MlvTwbsK8r3hAjzW0p.exe, 00000009.00000003.1404026079.0000000001F46000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: hh.pdbGCTL source: i7gUU3MlvTwbsK8r3hAjzW0p.exe, 00000009.00000003.1404026079.0000000001F46000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\xopuxokusi 56_texag poxibivo\tajicewudok\gosicuk_84\cifafu.pdb source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1484213650.0000000004B63000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1483831434.00000000041CC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: appidpolicyconverter.pdb source: i7gUU3MlvTwbsK8r3hAjzW0p.exe, 00000009.00000003.1404026079.0000000001F16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: wr6XLbv7Ijp4TImjm1ouF4U2.exe, 0000001E.00000002.1881705606.000000014026E000.00000040.00000001.01000000.00000015.sdmp
Source: Binary string: GC:\kibiyasehahul-fesivodacodela\yeh75\yexesunowop\54_du.pdb source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000000.1346148421.0000000000411000.00000002.00000001.01000000.00000006.sdmp, VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000002.2263801025.0000000004105000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000002.2255349183.0000000004155000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000000.1395492963.0000000000411000.00000002.00000001.01000000.0000000B.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000002.1918787360.00000000041C5000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000000.1442715755.0000000000411000.00000002.00000001.01000000.0000000E.sdmp, t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000002.1930649503.0000000004385000.00000004.00000020.00020000.00000000.sdmp, t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000000.1488476128.0000000000411000.00000002.00000001.01000000.00000010.sdmp, H6XhhPCeuwAb2QQK3C3B1Lwl.exe, 0000001B.00000000.1495901034.0000000000411000.00000002.00000001.01000000.00000012.sdmp, H6XhhPCeuwAb2QQK3C3B1Lwl.exe, 0000001B.00000002.1937881733.00000000040C6000.00000004.00000020.00020000.00000000.sdmp, l0nXYBHJHVq6UHyy1YDO9fn3.exe, 0000001D.00000000.1496485772.0000000000411000.00000002.00000001.01000000.00000013.sdmp, l0nXYBHJHVq6UHyy1YDO9fn3.exe, 0000001D.00000002.1941782899.00000000043D5000.00000004.00000020.00020000.00000000.sdmp, 6dpl9L7LbyabhVQNXZXXKjGL.exe, 00000022.00000002.2121441955.0000000004105000.00000004.00000020.00020000.00000000.sdmp, 6dpl9L7LbyabhVQNXZXXKjGL.exe, 00000022.00000000.1537881887.0000000000411000.00000002.00000001.01000000.00000019.sdmp
Source: Binary string: wntdll.pdbUGP source: Qg_Appv5.exe, 00000018.00000002.2188638150.0000000005240000.00000004.00000800.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2083738036.00000000031E2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: &SC:\sikozumohaf\rali\diso.pdb source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479226031.000000000421E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1485938094.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479873402.00000000041C9000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1463116316.0000000004B21000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1481871080.00000000056BB000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1464141295.000000000423C000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1482681071.000000000528E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1466633552.00000000041AA000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1464787413.0000000004138000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479873402.00000000041AC000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1483796218.0000000006285000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1493616783.00000000057B0000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1483588875.0000000006032000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1481542444.0000000005BBE000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1480366545.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1485918092.00000000064D8000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1493614495.0000000005292000.00000004.00000020.00020000.00000000.sdmp, PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000000.1532064546.0000000000411000.00000002.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000000.1534304535.0000000000411000.00000002.00000001.01000000.00000018.sdmp
Source: Binary string: wntdll.pdb source: Qg_Appv5.exe, 00000018.00000002.2188638150.0000000005240000.00000004.00000800.00020000.00000000.sdmp, Qg_Appv5.exe, 00000018.00000002.2083738036.00000000031E2000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: arp.pdbGCTL source: i7gUU3MlvTwbsK8r3hAjzW0p.exe, 00000009.00000003.1404026079.0000000001F39000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: wr6XLbv7Ijp4TImjm1ouF4U2.exe, 0000001E.00000002.1881705606.000000014026E000.00000040.00000001.01000000.00000015.sdmp
Source: Binary string: C:\kibiyasehahul-fesivodacodela\yeh75\yexesunowop\54_du.pdb source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000000.1346148421.0000000000411000.00000002.00000001.01000000.00000006.sdmp, VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000002.2263801025.0000000004105000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000002.2255349183.0000000004155000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000000.1395492963.0000000000411000.00000002.00000001.01000000.0000000B.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000002.1918787360.00000000041C5000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000000.1442715755.0000000000411000.00000002.00000001.01000000.0000000E.sdmp, t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000002.1930649503.0000000004385000.00000004.00000020.00020000.00000000.sdmp, t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000000.1488476128.0000000000411000.00000002.00000001.01000000.00000010.sdmp, H6XhhPCeuwAb2QQK3C3B1Lwl.exe, 0000001B.00000000.1495901034.0000000000411000.00000002.00000001.01000000.00000012.sdmp, H6XhhPCeuwAb2QQK3C3B1Lwl.exe, 0000001B.00000002.1937881733.00000000040C6000.00000004.00000020.00020000.00000000.sdmp, l0nXYBHJHVq6UHyy1YDO9fn3.exe, 0000001D.00000000.1496485772.0000000000411000.00000002.00000001.01000000.00000013.sdmp, l0nXYBHJHVq6UHyy1YDO9fn3.exe, 0000001D.00000002.1941782899.00000000043D5000.00000004.00000020.00020000.00000000.sdmp, 6dpl9L7LbyabhVQNXZXXKjGL.exe, 00000022.00000002.2121441955.0000000004105000.00000004.00000020.00020000.00000000.sdmp, 6dpl9L7LbyabhVQNXZXXKjGL.exe, 00000022.00000000.1537881887.0000000000411000.00000002.00000001.01000000.00000019.sdmp
Source: Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\UniversalInstaller.pdb source: Qg_Appv5.exe, 00000018.00000002.2204224716.00000000070FA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\wowakemalurac\89\zok hutaye.pdb source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1397303539.0000000005ED1000.00000004.00000020.00020000.00000000.sdmp, u5v8.0.exe, 0000000A.00000000.1394962827.0000000000411000.00000002.00000001.01000000.0000000A.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1453130738.0000000005D61000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1543933265.0000000005DC1000.00000004.00000020.00020000.00000000.sdmp, u69w.0.exe, 00000014.00000000.1448216913.0000000000411000.00000002.00000001.01000000.0000000F.sdmp, t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000003.1718472453.0000000005DD1000.00000004.00000020.00020000.00000000.sdmp, l0nXYBHJHVq6UHyy1YDO9fn3.exe, 0000001D.00000003.1742788058.0000000005E61000.00000004.00000020.00020000.00000000.sdmp, u4dc.0.exe, 0000001F.00000000.1530061498.0000000000411000.00000002.00000001.01000000.00000016.sdmp, 6dpl9L7LbyabhVQNXZXXKjGL.exe, 00000022.00000003.1828785198.0000000005DF1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: arp.pdb source: i7gUU3MlvTwbsK8r3hAjzW0p.exe, 00000009.00000003.1404026079.0000000001F39000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\UIxMarketPlugin.pdb source: Qg_Appv5.exe, 00000018.00000002.2204224716.0000000006F69000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\sikozumohaf\rali\diso.pdb source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479226031.000000000421E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1485938094.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479873402.00000000041C9000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1463116316.0000000004B21000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1481871080.00000000056BB000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1464141295.000000000423C000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1482681071.000000000528E000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1466633552.00000000041AA000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1464787413.0000000004138000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1479873402.00000000041AC000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1483796218.0000000006285000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1493616783.00000000057B0000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1483588875.0000000006032000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1481542444.0000000005BBE000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1480366545.0000000004F20000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1485918092.00000000064D8000.00000004.00000020.00020000.00000000.sdmp, 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1493614495.0000000005292000.00000004.00000020.00020000.00000000.sdmp, PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000000.1532064546.0000000000411000.00000002.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000000.1534304535.0000000000411000.00000002.00000001.01000000.00000018.sdmp
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Unpacked PE file: 4.2.VtmtVe55Jwcf3rOGIU1yezyh.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Unpacked PE file: 11.2.yPlMO3UKyKRvoEYPhbGYOyT0.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Unpacked PE file: 19.2.B46afLBMY0mokUgVdA9CQR52.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Unpacked PE file: 21.2.t7IXQJi6R3tWUMJ8f9cQzMWm.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exe Unpacked PE file: 27.2.H6XhhPCeuwAb2QQK3C3B1Lwl.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Pictures\l0nXYBHJHVq6UHyy1YDO9fn3.exe Unpacked PE file: 29.2.l0nXYBHJHVq6UHyy1YDO9fn3.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Pictures\wr6XLbv7Ijp4TImjm1ouF4U2.exe Unpacked PE file: 30.2.wr6XLbv7Ijp4TImjm1ouF4U2.exe.140000000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exe Unpacked PE file: 34.2.6dpl9L7LbyabhVQNXZXXKjGL.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exe Unpacked PE file: 39.2.ikL90ODaFTS7N6FbOffM2D1B.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exe Unpacked PE file: 41.2.G3pV8gTsWQBVrGpK4ooPrlxI.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Unpacked PE file: 4.2.VtmtVe55Jwcf3rOGIU1yezyh.exe.400000.0.unpack
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Unpacked PE file: 11.2.yPlMO3UKyKRvoEYPhbGYOyT0.exe.400000.0.unpack
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Unpacked PE file: 19.2.B46afLBMY0mokUgVdA9CQR52.exe.400000.0.unpack
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Unpacked PE file: 21.2.t7IXQJi6R3tWUMJ8f9cQzMWm.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exe Unpacked PE file: 27.2.H6XhhPCeuwAb2QQK3C3B1Lwl.exe.400000.0.unpack
Source: C:\Users\user\Pictures\l0nXYBHJHVq6UHyy1YDO9fn3.exe Unpacked PE file: 29.2.l0nXYBHJHVq6UHyy1YDO9fn3.exe.400000.0.unpack
Source: C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exe Unpacked PE file: 34.2.6dpl9L7LbyabhVQNXZXXKjGL.exe.400000.0.unpack
Source: C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exe Unpacked PE file: 39.2.ikL90ODaFTS7N6FbOffM2D1B.exe.400000.0.unpack
Source: C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exe Unpacked PE file: 41.2.G3pV8gTsWQBVrGpK4ooPrlxI.exe.400000.0.unpack
Suspicious powershell command line found
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .MPRESS2
PE file contains an invalid checksum
Source: NwvsoZspGn6vizp2axhKoY0Z.exe.3.dr Static PE information: real checksum: 0x7ebcf should be: 0x7ebd5
Source: VtmtVe55Jwcf3rOGIU1yezyh.exe.3.dr Static PE information: real checksum: 0x7ebcf should be: 0x7ebd5
Source: F9a5CAWDzjn4KX6pZMk93eNG.exe.3.dr Static PE information: real checksum: 0x0 should be: 0x670154
Source: wAyxI7uUktpH5TtM4zqnMftR.exe.3.dr Static PE information: real checksum: 0x7ebcf should be: 0x7ebd5
Source: i5XdJ65IHwp8ssJDgSUt738t.exe.3.dr Static PE information: real checksum: 0x43dd4c should be: 0x4379fb
Source: SZ0cEDCrvP4evlvcOCUltmHu.exe.3.dr Static PE information: real checksum: 0x43dd4c should be: 0x4379fb
Source: 0WEfXyMPJw5gbxAkYoQ7foIu.exe.3.dr Static PE information: real checksum: 0x7ebcf should be: 0x7ebd5
Source: 6iaJRQnw7XfTmk0UWiyyOxOe.exe.3.dr Static PE information: real checksum: 0x43dd4c should be: 0x4379fb
Source: LuXFYkxCqJv6U5aGsy6shXnX.exe.3.dr Static PE information: real checksum: 0x43dd4c should be: 0x4379fb
Source: 01ySZukOlUcP5NF6FSceJyuX.exe.3.dr Static PE information: real checksum: 0x529b04 should be: 0x529bef
Source: 8Hs13Qx2L9GIxFG02dQv6hVO.exe.3.dr Static PE information: real checksum: 0x43dd4c should be: 0x4379fb
Source: z443T0kZxO5VAxRMw1cjpQdZ.exe.3.dr Static PE information: real checksum: 0x43dd4c should be: 0x4379fb
Source: W9xI9q4MOUfVc9D8gPa3VVtC.exe.3.dr Static PE information: real checksum: 0x7ebcf should be: 0x7ebd5
Source: FQM2AbwszjT1lQzUoXGDxSTy.exe.3.dr Static PE information: real checksum: 0x7ebcf should be: 0x7ebd5
Source: Xd5tydDy6Vge5DSIUsA4B8HM.exe.3.dr Static PE information: real checksum: 0x7ebcf should be: 0x7ebd5
Source: 9teA9V2job1p0o0lcg2CuXcR.exe.3.dr Static PE information: real checksum: 0x7ebcf should be: 0x7ebd5
Source: IiFh1rXOMpGB7BnxmUig3wkQ.exe.3.dr Static PE information: real checksum: 0x52a1e9 should be: 0x52a2d4
Source: a17F4G7WEa7FlwVixhjX6uYK.exe.3.dr Static PE information: real checksum: 0x43dd4c should be: 0x4379fb
Source: tByrAP8ibeDbCSADnquqVBQi.exe.3.dr Static PE information: real checksum: 0x43dd4c should be: 0x4379fb
Source: qGkRm1tZi3ZgbNWlurynDnJq.exe.3.dr Static PE information: real checksum: 0x7ebcf should be: 0x7ebd5
Source: skOP6h6U62cLrOTEAXi7XUT4.exe.3.dr Static PE information: real checksum: 0x43dd4c should be: 0x4379fb
Source: mPkGObww76qlp1C09a4tgBES.exe.3.dr Static PE information: real checksum: 0x43dd4c should be: 0x4379fb
Source: zfeRg1KL3b6mzyGkHfaolHvL.exe.3.dr Static PE information: real checksum: 0x43dd4c should be: 0x4379fb
Source: eRAYqRRIfUj5yD0ovEh9HMd4.exe.3.dr Static PE information: real checksum: 0x7ebcf should be: 0x7ebd5
Source: ugGFIzLnD3Xk89zL7XSYeDGh.exe.3.dr Static PE information: real checksum: 0x529b04 should be: 0x529bef
Source: 3CfyWUQfEPMLfwgMw9RKzj9q.exe.3.dr Static PE information: real checksum: 0x52cacd should be: 0x52cbb8
Source: TD0DvTWbvdprpaFzaf7f79H8.exe.3.dr Static PE information: real checksum: 0x43dd4c should be: 0x4379fb
Source: ra8RK0HZwqsQsFKuKAOljczn.exe.3.dr Static PE information: real checksum: 0x524fa9 should be: 0x525094
Source: nMCfbx6hx0DUWGYJuDAMUAIJ.exe.3.dr Static PE information: real checksum: 0x524fa9 should be: 0x525094
Source: gs73fZcRyFDJYoYkZbrtadCy.exe.3.dr Static PE information: real checksum: 0x7ebcf should be: 0x7ebd5
Source: IWNHTSCpSFApuke51w2EhXTa.exe.3.dr Static PE information: real checksum: 0x43dd4c should be: 0x4379fb
Source: jZXBdg5rull5j6LgJCWVgVos.exe.3.dr Static PE information: real checksum: 0x523e46 should be: 0x523f31
Source: x3HF5f4W7zVGUR0m1DVxQqdq.exe.3.dr Static PE information: real checksum: 0x43dd4c should be: 0x4379fb
Source: 0Flev5sTDyJ3duKpLfv5ka2Z.exe.3.dr Static PE information: real checksum: 0x52cacd should be: 0x52cbb8
Source: Fh7qhqxo9lqcq8fZJGpCZFiC.exe.3.dr Static PE information: real checksum: 0x53171f should be: 0x53180a
Source: 0DWhHyQpdxsJp4gA1M0WjqnA.exe.3.dr Static PE information: real checksum: 0x53171f should be: 0x53180a
Source: zWhvfqZrtT7TUoWor4gRArPv.exe.3.dr Static PE information: real checksum: 0x43dd4c should be: 0x4379fb
Source: 5Q13Z1W5QdpwzXbxGFAdEXdB.exe.3.dr Static PE information: real checksum: 0x7ebcf should be: 0x7ebd5
Source: 0yHxI2NgcVq897URfu1bGLCU.exe.3.dr Static PE information: real checksum: 0x7ebcf should be: 0x7ebd5
Source: 0FR80IiNvxJZyXnpOgiDlYNV.exe.3.dr Static PE information: real checksum: 0x43dd4c should be: 0x4379fb
Source: H6XhhPCeuwAb2QQK3C3B1Lwl.exe.3.dr Static PE information: real checksum: 0x7ebcf should be: 0x7ebd5
Source: CzCAVDbVcAMwrBna8hMGEVEa.exe.3.dr Static PE information: real checksum: 0x523e46 should be: 0x523f31
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name: .managed
Source: file.exe Static PE information: section name: _RDATA
Source: V4R2L1ofXzAhB4UFI0Rj2LED.exe.3.dr Static PE information: section name: .MPRESS1
Source: V4R2L1ofXzAhB4UFI0Rj2LED.exe.3.dr Static PE information: section name: .MPRESS2
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe.3.dr Static PE information: section name: .MPRESS1
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe.3.dr Static PE information: section name: .MPRESS2
Source: F9a5CAWDzjn4KX6pZMk93eNG.exe.3.dr Static PE information: section name: .sxdata
Source: OFQ7ZJkbPO93pwjUuJw87q34.exe.3.dr Static PE information: section name: .MPRESS1
Source: OFQ7ZJkbPO93pwjUuJw87q34.exe.3.dr Static PE information: section name: .MPRESS2
Source: QV2CtvThMWBnTkQtNtmINgo7.exe.3.dr Static PE information: section name: .MPRESS1
Source: QV2CtvThMWBnTkQtNtmINgo7.exe.3.dr Static PE information: section name: .MPRESS2
Source: XqzL1fMvCxCCFKp0SSzKRmTk.exe.3.dr Static PE information: section name: .MPRESS1
Source: XqzL1fMvCxCCFKp0SSzKRmTk.exe.3.dr Static PE information: section name: .MPRESS2
Source: bfxtyeVJT5bBfIUy0v6XVgPU.exe.3.dr Static PE information: section name: .MPRESS1
Source: bfxtyeVJT5bBfIUy0v6XVgPU.exe.3.dr Static PE information: section name: .MPRESS2
Source: 8FauF1Ec16N4pbn45vApMB9Y.exe.3.dr Static PE information: section name: .MPRESS1
Source: 8FauF1Ec16N4pbn45vApMB9Y.exe.3.dr Static PE information: section name: .MPRESS2
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_0042D355 push esi; ret 4_2_0042D35E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_00409D06 push ecx; ret 4_2_00409D19
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_004275A4 push eax; ret 4_2_004275C2
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_004097B6 push ecx; ret 4_2_004097C9
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_040D1494 push 00000061h; retf 4_2_040D149C
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_040CE5D6 pushad ; retf 4_2_040CE5D7
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_040CF660 push ecx; iretd 4_2_040CF672
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_040D0E85 pushad ; retf 4_2_040D0E8C
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_040D28F8 push ebp; iretd 4_2_040D292B
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_040D0B6F push 2B991403h; ret 4_2_040D0B76
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_0042D355 push esi; ret 11_2_0042D35E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_00409D06 push ecx; ret 11_2_00409D19
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_004275A4 push eax; ret 11_2_004275C2
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_004097B6 push ecx; ret 11_2_004097C9
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_04121494 push 00000061h; retf 11_2_0412149C
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_0411E5D6 pushad ; retf 11_2_0411E5D7
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_0411F660 push ecx; iretd 11_2_0411F672
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_04120E85 pushad ; retf 11_2_04120E8C
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_041228F8 push ebp; iretd 11_2_0412292B
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_04120B6F push 2B991403h; ret 11_2_04120B76
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_05BCC52F push esp; retf 11_2_05BCC537
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_05BD1CA2 push dword ptr [esp+ecx-75h]; iretd 11_2_05BD1CA6
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_05BB9F6D push ecx; ret 11_2_05BB9F80
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_05BD780B push eax; ret 11_2_05BD7829
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_05BCCB2D push esp; retf 11_2_05BCCB2E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_05BB9A1D push ecx; ret 11_2_05BB9A30
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_0042D355 push esi; ret 19_2_0042D35E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_00409D06 push ecx; ret 19_2_00409D19
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_004275A4 push eax; ret 19_2_004275C2
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_004097B6 push ecx; ret 19_2_004097C9
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_04191494 push 00000061h; retf 19_2_0419149C

Persistence and Installation Behavior
barindex
Drops PE files to the document folder of the user
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\Documents\SimpleAdobe\urA10ZckYEEXLZZov5c00RO_.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\Documents\SimpleAdobe\0bDSNbGYZjXnI1v06off3DYe.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\Documents\SimpleAdobe\HDCJLf7pYcxae1KSycA6A5eR.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\Documents\SimpleAdobe\NpXiURSjfclxWgcUlkMD5eJ8.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\Documents\SimpleAdobe\KPGhFRImEtP9uUl6Tmi54GCR.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\Documents\SimpleAdobe\GyEiPhmZ7wFSCYXwTgsPkluJ.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\Documents\SimpleAdobe\PuQVr13ObJzLxhvCkSK1EXB6.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\Documents\SimpleAdobe\IsEPzSszgrCYUPQvHPDrLyFU.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\Documents\SimpleAdobe\Zsk2cFkeBC4UsceqkHvvw1iU.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\Documents\SimpleAdobe\PurfH4hAOpbVHLEkly68a3iu.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\Documents\SimpleAdobe\s2mORnBj3q8nWakBtFzD2977.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\Documents\SimpleAdobe\62dRoO3BlNtGMcLNCSYzZeqJ.exe Jump to dropped file
Installs new ROOT certificates
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob Jump to behavior
Drops PE files
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe File created: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\bw9CU3SIyrt3JEs5ELMi3GM3.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe File created: C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\JUnCNhn.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\Yu3aePJPmCD2ksmvI16UpN6t.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\Retailer_prog[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\NDdJEWHR1zXBL7ACRBN1bJsT.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\i5XdJ65IHwp8ssJDgSUt738t.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exe File created: C:\Users\user\AppData\Local\Temp\u2r8.1.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\Or8Lkccj3KUYl1SEoAAXBR7t.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\CzCAVDbVcAMwrBna8hMGEVEa.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\rCkxIY3aeSpXebK5FfkxePC4.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\jl7RUebEK9s2GdCw2naZuXH3.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\KgnOTzWY3o0raijub6ZAid5Z.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\WMW9Xl8E0Ffe1Nak8GbEfdwd.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\hK1ls0Ofsd3l9PBQOnBvFrY4.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\FcF2JyfJLWaSsoJShTukNm1O.exe Jump to dropped file
Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404232137541\opera_package Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\Xd5tydDy6Vge5DSIUsA4B8HM.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\y1mf9KikiO68brzuQYIFxwgi.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\3CfyWUQfEPMLfwgMw9RKzj9q.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\wAyxI7uUktpH5TtM4zqnMftR.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\V4R2L1ofXzAhB4UFI0Rj2LED.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\msvcp140[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\LuXFYkxCqJv6U5aGsy6shXnX.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\setup[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\vcruntime140[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\0DWhHyQpdxsJp4gA1M0WjqnA.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\Documents\SimpleAdobe\PurfH4hAOpbVHLEkly68a3iu.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\OFQ7ZJkbPO93pwjUuJw87q34.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\Space_my[1].exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\Documents\SimpleAdobe\HDCJLf7pYcxae1KSycA6A5eR.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\123p[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\sJ72s0PpaBNUmYNiHyJZFP9z.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\75ML2QNSkdxIefrPkvr0UjCi.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\WjXPtwNxqwEpWrekfMAFvnPV.exe Jump to dropped file
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe File created: C:\Users\user\AppData\Local\Temp\u1hw.1.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\H9xPrDydeyqRWbh69y5tSjbf.exe Jump to dropped file
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe File created: C:\Users\user\AppData\Local\Temp\u5v8.1.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\Documents\SimpleAdobe\PuQVr13ObJzLxhvCkSK1EXB6.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\TZNY2jGrHaeFElorDDQMNtS0.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\eRAYqRRIfUj5yD0ovEh9HMd4.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\f1yTeHrlUuYsPLKRUrl6KMpe.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\I7GsKiDVRkgU0AqHrZJ1PiD5.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\7725eaa6592c80f8124e769b4e8a07f7[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\9rAJjYr1uJZPfASZhYrXXHW2.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\y6XaweA6d3ukZLoFeklnZ9Wr.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\uhjAlwetTCGgkw8uV562JOyG.exe Jump to dropped file
Source: C:\Users\user\Pictures\l0nXYBHJHVq6UHyy1YDO9fn3.exe File created: C:\Users\user\AppData\Local\Temp\u33c.0.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\8FauF1Ec16N4pbn45vApMB9Y.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\x3HF5f4W7zVGUR0m1DVxQqdq.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\vg2jjUpoYoMsgaKeZN28z4wt.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\sVP78YSUuB86fyhUIuxT6msl.exe Jump to dropped file
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe File created: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\hh.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\nUulTm4TlMq3112NFdqwQUUv.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\5vt9Hlt4sHU3M9tLNtkwRemY.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\Documents\SimpleAdobe\s2mORnBj3q8nWakBtFzD2977.exe Jump to dropped file
Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe File created: C:\Users\user\AppData\Local\Temp\Opera_installer_2404231937415374172.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\OYqxk9G3x4R05N4I0KLZXbXg.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\PA8JWMmRYiQsN7iqTjOvjsbW.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe File created: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\9JPBg0fN0RIfaIShEtttlmtW.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\mozglue[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\ra8RK0HZwqsQsFKuKAOljczn.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\0Bos1rjatCgxKDAqeI5gMROw.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\ehuKK8NkGWXoqtsyMQJdZvL3.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\r1G18V8V8shEwNWwtcDq5rcn.exe Jump to dropped file
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe File created: C:\Users\user\AppData\Local\Temp\u4dc.0.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\tw6SuwCix1CRVfIYPT24Ycm6.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\SZ0cEDCrvP4evlvcOCUltmHu.exe Jump to dropped file
Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404232138021\opera_package Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\rSpYcYxqkOCX3T18aW46DWhn.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\z443T0kZxO5VAxRMw1cjpQdZ.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\IiFh1rXOMpGB7BnxmUig3wkQ.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\xvXQt3HWUPHZOypqdys3bcAm.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Jump to dropped file
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe File created: C:\Users\user\AppData\Local\Temp\u1hw.0.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe File created: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UIxMarketPlugin.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\9UmuglKcKHgfePSzDJeh2tr3.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\freebl3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\jZXBdg5rull5j6LgJCWVgVos.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\bfxtyeVJT5bBfIUy0v6XVgPU.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\fkwQUocr72Hw75SyPBzpetnQ.exe Jump to dropped file
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe File created: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Jump to dropped file
Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\vU4jsQbpuBQoMcavMx7b1jzX.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\JMNwDYLRHcfb7Lck3bh1QS4f.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\01ySZukOlUcP5NF6FSceJyuX.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\QFdxqcJJKBnNvVH34NTBZO9k.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\Documents\SimpleAdobe\62dRoO3BlNtGMcLNCSYzZeqJ.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\4H9gwSn9hsmr1uT7Ln1OMxxi.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\Default12_my[1].exe Jump to dropped file
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe File created: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\rdJ9fWEopei9Jq2a4C4fmX3Z.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\p9kj7yqazy7x5QKCpeuskKjf.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\9SfnYxeY7MBStUWc3d6vaufA.exe Jump to dropped file
Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\Opera_109.0.5097.59_Autoupdate_x64[2].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\F9a5CAWDzjn4KX6pZMk93eNG.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\6uk7M8l1XN7kn2GGjKmOMQUi.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\tSUKH8w2Pv8sgaLWrFPRDr1i.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\XqzL1fMvCxCCFKp0SSzKRmTk.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\gs73fZcRyFDJYoYkZbrtadCy.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\pHBfSuis1Xhkv6ZdHJOyObLb.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\zfeRg1KL3b6mzyGkHfaolHvL.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\tByrAP8ibeDbCSADnquqVBQi.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\2pjOwxxUjFNOdrkI94TdGraH.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\BCSbmKJiX30BH99M4SeS6WhT.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\Documents\SimpleAdobe\0bDSNbGYZjXnI1v06off3DYe.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\MLHy8CHCXXPjzOh2OJFrG13g.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\4atMces8tYoo96OnbLT8HE6O.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\qGkRm1tZi3ZgbNWlurynDnJq.exe Jump to dropped file
Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe File created: C:\Users\user\AppData\Local\Temp\Opera_installer_2404231937382151588.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\Pb9nMKWmPyxCQFZJxeJuCUeo.exe Jump to dropped file
Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\Opera_109.0.5097.59_Autoupdate_x64[4].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\s2d02ZEHUbxI410yPzvUYGTP.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\XE6DyfdivLtuouzog1ddAcWy.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\SsTCNrfNwbE2RJWH23gTlxFP.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\ult4yIpyxeTm9lUFFOHFNl2P.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\nss3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\lOl0Z8MedrKL384KSuZP1lEu.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\snOfq5H0Ss3VGXsE0fRFljun.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\Fh7qhqxo9lqcq8fZJGpCZFiC.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\060[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\VKzps0C0te7NTLkv4QCHU1YW.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\hKiTsf257VLWDEryVqhdGiax.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\Documents\SimpleAdobe\GyEiPhmZ7wFSCYXwTgsPkluJ.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\nMCfbx6hx0DUWGYJuDAMUAIJ.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\cad54ba5b01423b1af8ec10ab5719d97[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\vMRsi4avLKS3BjZRk9vaqhZz.exe Jump to dropped file
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe File created: C:\Users\user\AppData\Local\Temp\u4dc.1.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\68bEfZA6FBu6lC5BaADYSIdx.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\7ajn4zo6v0GdgVSDv67pQ6UA.exe Jump to dropped file
Source: C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exe File created: C:\Users\user\AppData\Local\Temp\u46g.0.exe Jump to dropped file
Source: C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exe File created: C:\Users\user\AppData\Local\Temp\u4hg.0.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\Documents\SimpleAdobe\urA10ZckYEEXLZZov5c00RO_.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\PNqnjNHui8frV2dffCZrA05K.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\SlHGsDZGgkpk7MxF0QDuypot.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\RHyh0hfeaEHqborlFdL4LJTH.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\nxx62MIcAq1mLUazdUlt2emv.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\10ff9npsu4lZrEUNQDLknd3T.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe File created: C:\Users\user\AppData\Local\Temp\driverRemote_debug\relay.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\wkp6W1E2mbyM9VriyJKcQkLy.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\mPkGObww76qlp1C09a4tgBES.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\0yHxI2NgcVq897URfu1bGLCU.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\2YL4IgWcBHinkIA211vO9Bpr.exe Jump to dropped file
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe File created: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\ARP.EXE Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\xXfU3dY2WEStW3xUEgs7rT08.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\TD0DvTWbvdprpaFzaf7f79H8.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\6iaJRQnw7XfTmk0UWiyyOxOe.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\8wsOStmCG25nWXULr6UWy2Q5.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\8Hs13Qx2L9GIxFG02dQv6hVO.exe Jump to dropped file
Source: C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exe File created: C:\Users\user\AppData\Local\Temp\u624.0.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\wv3L00mTLTTnOX1S2obszDcX.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\NwvsoZspGn6vizp2axhKoY0Z.exe Jump to dropped file
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe File created: C:\Users\user\AppData\Local\Temp\u69w.1.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\timeSync[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\r0DfbOvsdOtWhxCPYUgwqjYI.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\Documents\SimpleAdobe\NpXiURSjfclxWgcUlkMD5eJ8.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\NdBfL9GQKAuQALK03ZlcLnBv.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\63TGqnDkcQpbTyiukd2djP6a.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\VmjwaGr6tPcRf0rEBWGZ46z3.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\skOP6h6U62cLrOTEAXi7XUT4.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\0Flev5sTDyJ3duKpLfv5ka2Z.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\0WEfXyMPJw5gbxAkYoQ7foIu.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\9teA9V2job1p0o0lcg2CuXcR.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\ugGFIzLnD3Xk89zL7XSYeDGh.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\Documents\SimpleAdobe\IsEPzSszgrCYUPQvHPDrLyFU.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\zUOgRazdYnb35XHU4UIsV9Yc.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Pictures\l0nXYBHJHVq6UHyy1YDO9fn3.exe File created: C:\Users\user\AppData\Local\Temp\u33c.1.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe File created: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\appidpolicyconverter.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\jTODdSkaulFxtvMU8WoUUyzs.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\W7lXXTFWXeTByuMsbD5hqZaG.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\a17F4G7WEa7FlwVixhjX6uYK.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\0FR80IiNvxJZyXnpOgiDlYNV.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\Documents\SimpleAdobe\Zsk2cFkeBC4UsceqkHvvw1iU.exe Jump to dropped file
Source: C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exe File created: C:\Users\user\AppData\Local\Temp\u46g.1.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\idw0Y68mq2UfXecINGuMfSFO.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\FQM2AbwszjT1lQzUoXGDxSTy.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\QbLPxQThjmTC7G98txUkfov6.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\1CGwy9Tr3ZgPn871BvByOPxR.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\Documents\SimpleAdobe\KPGhFRImEtP9uUl6Tmi54GCR.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\oItrqw2PxeTCx2grDJJI9Sqg.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\W9xI9q4MOUfVc9D8gPa3VVtC.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe File created: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe Jump to dropped file
Source: C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exe File created: C:\Users\user\AppData\Local\Temp\u4hg.1.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\zFZkiprzkq8Ae7mkklwscu5a.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\QV2CtvThMWBnTkQtNtmINgo7.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\5Q13Z1W5QdpwzXbxGFAdEXdB.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\t5dER7PVcN8YbrHzsawB4xKm.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\ShiCqBALVwHXuLXc8u9Hf2su.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\VgRPuj2QfERyAHULRBeO1F20.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\alB5HeuQna7ct24xMLLWf2EN.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\zWhvfqZrtT7TUoWor4gRArPv.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\aTFJoaTi8xkup68H3WyrFIbQ.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exe File created: C:\Users\user\AppData\Local\Temp\u2r8.0.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\790489aa[1].exe Jump to dropped file
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe File created: C:\Users\user\AppData\Local\Temp\u69w.0.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\JUzoV9GxBJCDHhTcPnbRBLla.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\Pictures\IWNHTSCpSFApuke51w2EhXTa.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\saftSBfOyQtbUhRB42BwTwJm.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Local\wDhpi03qlIbaSzF5WZoKo8eV.exe Jump to dropped file
Source: C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exe File created: C:\Users\user\AppData\Local\Temp\u624.1.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe File created: C:\Windows\Temp\ofqvFcNvzeRditbz\sCLSBctEBYVgufH\JUnCNhn.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404232137541\opera_package Jump to dropped file
Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404232138021\opera_package Jump to dropped file
Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240423213748763.log
Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240423213755078.log

Boot Survival
barindex
Drops script or batch files to the startup folder
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ECVVQonpjDvaVVq8u9A57jpg.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\u4wmr0Bf4EXaMCuRI7IEqrEN.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JlRLEIpF3kijytHz1FaeY3WZ.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UYav4djsSfeWrnxzOp8uz2JM.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5vz9LfAQRgiDqx5aIN1rUzgI.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7IdlNY4tr5xX5jsAv5Xm1aGP.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cg01RYFCgQ4yuUBvkQoejwXD.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ABVMMLQpGhcp1W2ujjO04sLV.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fQToSS9BPvVcS8w6eNfcK0kY.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\N7bW39nU2llZKhOZXueEFrfF.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DJXmw8FbD4RPPXhLeAm8SoVJ.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wfdWx9QBHbiX53OVW3ybKn3w.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cYTbNzYImrDYIx7DZ1mq8uju.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sPufcIhuWOPTECewJPFroVOs.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DCp8sgzWACD6Vy523F9IlcQB.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zEeQhGslvnDbo67JpIq1JJCf.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I1y6rl2pC8mUDNK8qfoy3mwi.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pc0fUYEqajLGUWQtn2ftxoqL.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UNhgzOtBFiyZVWZ3q4kFYqN6.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\r0iR2ukaNLwNYvPx5HIxG52l.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MLlWxWjkKRHHt42qJxZpv3D4.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kjmIHqcSIrCufgz14qWPPLBs.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7lgGvzEo7nECzBG3bpAxjivM.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WRO1mDUXRTjz6psEJDnxyxnx.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bbcng22Z0TSdvpG3NMlJFqMM.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QJOvieJeRHqxL1CkBVqLAHn4.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WubC0DiuPPNp4xftV5ZUsBRa.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uh3nu45INFmWm7584kVwgFUO.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZZdfK51JZVeSwQUZVWqostT0.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DsmX5IKpf85YqLtUG2emopLQ.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jR7LsmZUnB4FZaCYUqyCsVgJ.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKepX7TNvoxrvNCU36z69Z8U.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\u5dGk12YYILlpzhYxk2XzgEM.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8U1eBzGHaaLerzhFHg9U9VIJ.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6Lj2r8HjpXGeANxR3KECgncY.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13YCUaamLsi0QOacTlyUtCF3.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tsbzRFmTsKBykEPO6dTSp6Bo.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cdlcSQxWa3EiYarbRMZZXW6B.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nqmQZESYWs8lMVQC5uSuvZGu.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xsTljUDyfomCxhnzNXfr7Xm9.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YK212xIfnETeMj8HWzSaLpXm.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LlgTJb1fsKZaWWGOHpA0Z7jy.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X92VSFxhiRrhLMunkKi2h57u.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wpfphpa0v7Nt73NmqVDrheEB.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MeUXi1xZRfgTr34geRpmygtS.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dfqsmrq9YcEQ7hPoIyQgCVFc.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Gsl02wkLG0QjvXiDlgL1h1Gi.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JtkF0WemvMdybR3XRcsFyf1i.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t1VNoyGIaOw1GtxZ1M3tjpAQ.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L66Dh4NdwdeMMxg3HjUpU2VV.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lfrK2eleGgknmu9FzWkpzB7c.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zf29JQFSkkWOPzBYpym8uJAy.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RSzAVr1FmnmbHDkLIrabhsTB.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchWZdT95vOpzHp7On4mxxfQ.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zg3gHfMVLuRw8ensa1FCPDaU.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wnPWh6gigyeyZklNGZd5SKHQ.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Yja9y4U3Z3AC8NiP5CTtr4Gt.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6xZdoDoBUE5p5eHQogOzmCAe.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t5Sezk8AJ1dVCIp8NlarOJfh.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LxHbHMNvefHp2Hvr6DcpzhYd.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MfQYCojjZujE183iHin4yvvN.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZboQ6QzDUJYdvbmW1ugLygi3.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qjWESUwN5QphEhjbuV2RyE3e.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rn8SDNMr1p6wepdx6lkoczBh.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERBtXO5ho7nmZoFsGYVG8xKj.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KD5MxYvzde1avFdeWwU1rF85.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0tqRsZaQXhm54caqwDUXuMHC.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7BtjTi3FF9au1FQnlKymnDMg.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3rRyjClAJ2k30QIrWGpVFDpo.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JBjdJ2s3yN24CmoRslMpXshQ.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UsRuWQ7xN6FZn5at6gRKTF3B.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A6qSF0ut9ErFpR3WVXzTlEB6.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XlekvkCI3kM0b7NtTDTdRwQu.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84qHSnAnloUyGTjudCcnx8X7.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6fMi9oyVvviqTTN6Wr56ISLB.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\913UuC1tRhVGy6AHxLqTaVLY.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SobxUGvoTK5M02dimGqnbluB.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tnYvJsdw6gVMo54pPIPOTk7f.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ljM3vcf9uuofRJ8ARCciU76L.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ra9dznGmjOHpZAiuMncAyjjm.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oNOt66EI4etu2JX94D2Yxd2b.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bzGR4bdGfx80t9z5gTXhjS5m.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BN2W9TNO6kL3gJzRRzdUbTZg.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\v626yA0xMjbBDle6UIsKMxMX.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F2GuBTHnmBkN3dSsucJeBkQG.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HpILK5HtW16MD0UJ7pzV1QPJ.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bRXCsNtemAFBshpyVJXEffxd.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Yv6LDN6gTc8YJ8q14nqOwadt.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sS6m1zJ7SM7VOu619Ye9oRPC.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BosibbTKPcpK0gAFoIDe9sCf.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ylpTCbqw6Bd6MUStDnsoxMXB.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1hkcRBWLeEPqv2ntphnoy15W.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oZiUKJGSA8G9xcONfqSnC56U.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rVMvJuock0EvSLQr8i6oWa6o.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fagr44gehhmhQmsmZzIfzCC2.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\er4UWRAIc5nksPtzjAlnLniT.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TVAm1QI1IkUDwXuoaPmgOaGO.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8xb4CYcBawbLerlRgmQScw49.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c30OjsA06vP0OjpHU4TSEFXy.bat Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INQlUc1XgC4YubLIynK9wvrP.bat Jump to dropped file
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Window searched: window name: FilemonClass
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Window searched: window name: RegmonClass
Source: C:\Users\user\Pictures\wr6XLbv7Ijp4TImjm1ouF4U2.exe Window searched: window name: FilemonClass
Source: C:\Users\user\Pictures\wr6XLbv7Ijp4TImjm1ouF4U2.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Pictures\wr6XLbv7Ijp4TImjm1ouF4U2.exe Window searched: window name: RegmonClass
Source: C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exe Window searched: window name: FilemonClass
Source: C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exe Window searched: window name: RegmonClass
Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe Window searched: window name: RegmonClass
Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe Window searched: window name: FilemonClass
Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe Window searched: window name: PROCMON_WINDOW_CLASS
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 21:38:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe\" em /VNsite_idnLd 385118 /S" /V1 /F
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ECVVQonpjDvaVVq8u9A57jpg.bat Jump to behavior
Creates job files (autostart)
Source: C:\Windows\SysWOW64\schtasks.exe File created: C:\Windows\Tasks\bWycNackLSywaqkmgR.job
Creates or modifies windows services
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
Stores files to the Windows start menu directory
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ECVVQonpjDvaVVq8u9A57jpg.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\u4wmr0Bf4EXaMCuRI7IEqrEN.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JlRLEIpF3kijytHz1FaeY3WZ.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Gsl02wkLG0QjvXiDlgL1h1Gi.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JtkF0WemvMdybR3XRcsFyf1i.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchWZdT95vOpzHp7On4mxxfQ.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zg3gHfMVLuRw8ensa1FCPDaU.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rn8SDNMr1p6wepdx6lkoczBh.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UsRuWQ7xN6FZn5at6gRKTF3B.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A6qSF0ut9ErFpR3WVXzTlEB6.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\v626yA0xMjbBDle6UIsKMxMX.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ylpTCbqw6Bd6MUStDnsoxMXB.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rVMvJuock0EvSLQr8i6oWa6o.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fagr44gehhmhQmsmZzIfzCC2.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c30OjsA06vP0OjpHU4TSEFXy.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\INQlUc1XgC4YubLIynK9wvrP.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DsmX5IKpf85YqLtUG2emopLQ.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jR7LsmZUnB4FZaCYUqyCsVgJ.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\u5dGk12YYILlpzhYxk2XzgEM.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cdlcSQxWa3EiYarbRMZZXW6B.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xsTljUDyfomCxhnzNXfr7Xm9.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LlgTJb1fsKZaWWGOHpA0Z7jy.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MeUXi1xZRfgTr34geRpmygtS.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lfrK2eleGgknmu9FzWkpzB7c.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6xZdoDoBUE5p5eHQogOzmCAe.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LxHbHMNvefHp2Hvr6DcpzhYd.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KD5MxYvzde1avFdeWwU1rF85.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7BtjTi3FF9au1FQnlKymnDMg.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JBjdJ2s3yN24CmoRslMpXshQ.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6fMi9oyVvviqTTN6Wr56ISLB.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SobxUGvoTK5M02dimGqnbluB.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bzGR4bdGfx80t9z5gTXhjS5m.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oNOt66EI4etu2JX94D2Yxd2b.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ljM3vcf9uuofRJ8ARCciU76L.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F2GuBTHnmBkN3dSsucJeBkQG.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bRXCsNtemAFBshpyVJXEffxd.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BosibbTKPcpK0gAFoIDe9sCf.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1hkcRBWLeEPqv2ntphnoy15W.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oZiUKJGSA8G9xcONfqSnC56U.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\er4UWRAIc5nksPtzjAlnLniT.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TVAm1QI1IkUDwXuoaPmgOaGO.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8xb4CYcBawbLerlRgmQScw49.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UNhgzOtBFiyZVWZ3q4kFYqN6.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7lgGvzEo7nECzBG3bpAxjivM.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bbcng22Z0TSdvpG3NMlJFqMM.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WubC0DiuPPNp4xftV5ZUsBRa.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZZdfK51JZVeSwQUZVWqostT0.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKepX7TNvoxrvNCU36z69Z8U.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nqmQZESYWs8lMVQC5uSuvZGu.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YK212xIfnETeMj8HWzSaLpXm.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dfqsmrq9YcEQ7hPoIyQgCVFc.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t1VNoyGIaOw1GtxZ1M3tjpAQ.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Yja9y4U3Z3AC8NiP5CTtr4Gt.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t5Sezk8AJ1dVCIp8NlarOJfh.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MfQYCojjZujE183iHin4yvvN.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qjWESUwN5QphEhjbuV2RyE3e.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0tqRsZaQXhm54caqwDUXuMHC.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\84qHSnAnloUyGTjudCcnx8X7.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tnYvJsdw6gVMo54pPIPOTk7f.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ra9dznGmjOHpZAiuMncAyjjm.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BN2W9TNO6kL3gJzRRzdUbTZg.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HpILK5HtW16MD0UJ7pzV1QPJ.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Yv6LDN6gTc8YJ8q14nqOwadt.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sS6m1zJ7SM7VOu619Ye9oRPC.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DJXmw8FbD4RPPXhLeAm8SoVJ.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wfdWx9QBHbiX53OVW3ybKn3w.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cYTbNzYImrDYIx7DZ1mq8uju.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sPufcIhuWOPTECewJPFroVOs.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DCp8sgzWACD6Vy523F9IlcQB.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zEeQhGslvnDbo67JpIq1JJCf.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I1y6rl2pC8mUDNK8qfoy3mwi.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pc0fUYEqajLGUWQtn2ftxoqL.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\r0iR2ukaNLwNYvPx5HIxG52l.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MLlWxWjkKRHHt42qJxZpv3D4.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kjmIHqcSIrCufgz14qWPPLBs.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WRO1mDUXRTjz6psEJDnxyxnx.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QJOvieJeRHqxL1CkBVqLAHn4.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uh3nu45INFmWm7584kVwgFUO.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8U1eBzGHaaLerzhFHg9U9VIJ.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6Lj2r8HjpXGeANxR3KECgncY.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\13YCUaamLsi0QOacTlyUtCF3.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tsbzRFmTsKBykEPO6dTSp6Bo.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X92VSFxhiRrhLMunkKi2h57u.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wpfphpa0v7Nt73NmqVDrheEB.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L66Dh4NdwdeMMxg3HjUpU2VV.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zf29JQFSkkWOPzBYpym8uJAy.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RSzAVr1FmnmbHDkLIrabhsTB.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wnPWh6gigyeyZklNGZd5SKHQ.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZboQ6QzDUJYdvbmW1ugLygi3.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERBtXO5ho7nmZoFsGYVG8xKj.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3rRyjClAJ2k30QIrWGpVFDpo.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XlekvkCI3kM0b7NtTDTdRwQu.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\913UuC1tRhVGy6AHxLqTaVLY.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UYav4djsSfeWrnxzOp8uz2JM.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5vz9LfAQRgiDqx5aIN1rUzgI.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7IdlNY4tr5xX5jsAv5Xm1aGP.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cg01RYFCgQ4yuUBvkQoejwXD.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ABVMMLQpGhcp1W2ujjO04sLV.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fQToSS9BPvVcS8w6eNfcK0kY.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\N7bW39nU2llZKhOZXueEFrfF.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8ywURDw7C6zMeRsof3kBXxpU.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pLcp1mMRVrfoftEu1oKo7EQU.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VoYUQzlIPy2CQ7auo8daNx7A.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oX3RgNofkgZNW1Os252HClux.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4ZYRf5dx7GqJx3l35fKvDZO8.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8dIzwG40mmQ7mxh4nJYR7fin.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bUvvEC4G93x8m0jMUV1cvbkw.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\791uKA04n6KFLHtwHnjK9hoV.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\y0CqVXQV0YSEnDiptPiHGIIC.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Kk0VS6Oeosw6tWUrpGI1GUiJ.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hkdC1RojujX5k1DjwMZ3m53C.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwduwYkLXSb2GF3vux2rNkrk.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7k09nFNmfPaAV8TbITKMV0NQ.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OMg9VYGhTMmOWOdpeinUzXxS.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wo1P9zhTUjnTlrOeTp1sTnJB.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xSB004NwHIjUzPebzxfgYy6M.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C6plKnC16OcysWG3iYxCicta.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JwleVm0kNOyDWRFneHiO7JF2.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H4kJahC6qjDEJs4KOlT9YrLj.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BKTdFTil10Rxbx2AcPfv4Wbu.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5FShBkGLSUEUFI9VFZ0ECdTf.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vrn34hmXrMXoIyvZRaTgjkg0.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yLrCNsFDaU7gI96DJGkskDGD.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ahtOSjAvEodBTLojg8tYK2oi.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RfoG22ZLMmZUJmI5a4966mOY.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\O8Kgv0druxTFfZsHOwjgYEle.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3JuqN9hvCAys7Gy6oZZoCzhT.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bBfUxqomlFONHrwoOa7bLerx.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JCpZnFr5MyYfVYa26BJ4tgNP.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\s43C8UHhQAcNSwRGxZag8EP2.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\v6OAGPNLo8g4FxLeXUjM1mrW.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KPWcHmXzjov5ISLdPxDhZLCg.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ef27X2bsovEcForsSj11qs02.bat Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pI9UCOqBrq3HW8eVihoQ9LjK.bat Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exe Memory written: PID: 7488 base: 7E0005 value: E9 2B BA 6F 76
Source: C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exe Memory written: PID: 7488 base: 76EDBA30 value: E9 DA 45 90 89
Source: C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exe Memory written: PID: 7488 base: 7F0008 value: E9 8B 8E 73 76
Source: C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exe Memory written: PID: 7488 base: 76F28E90 value: E9 80 71 8C 89
Source: C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exe Memory written: PID: 7488 base: 2AA0005 value: E9 8B 4D 5D 73
Source: C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exe Memory written: PID: 7488 base: 76074D90 value: E9 7A B2 A2 8C
Source: C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exe Memory written: PID: 7488 base: 2AB0005 value: E9 EB EB 5D 73
Source: C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exe Memory written: PID: 7488 base: 7608EBF0 value: E9 1A 14 A2 8C
Source: C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exe Memory written: PID: 7488 base: 2AC0005 value: E9 8B 8A AE 73
Source: C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exe Memory written: PID: 7488 base: 765A8A90 value: E9 7A 75 51 8C
Source: C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exe Memory written: PID: 7488 base: 2AD0005 value: E9 2B 02 B0 73
Source: C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exe Memory written: PID: 7488 base: 765D0230 value: E9 DA FD 4F 8C
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_00408761 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 4_2_00408761
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\l0nXYBHJHVq6UHyy1YDO9fn3.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\PA8JWMmRYiQsN7iqTjOvjsbW.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Users\user\Pictures\PA8JWMmRYiQsN7iqTjOvjsbW.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\PA8JWMmRYiQsN7iqTjOvjsbW.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\PA8JWMmRYiQsN7iqTjOvjsbW.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\zUOgRazdYnb35XHU4UIsV9Yc.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Users\user\Pictures\zUOgRazdYnb35XHU4UIsV9Yc.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\zUOgRazdYnb35XHU4UIsV9Yc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\zUOgRazdYnb35XHU4UIsV9Yc.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\u69w.1.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\u69w.1.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\u69w.1.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\0FR80IiNvxJZyXnpOgiDlYNV.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Users\user\Pictures\0FR80IiNvxJZyXnpOgiDlYNV.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\0FR80IiNvxJZyXnpOgiDlYNV.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\0FR80IiNvxJZyXnpOgiDlYNV.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\68bEfZA6FBu6lC5BaADYSIdx.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Users\user\Pictures\68bEfZA6FBu6lC5BaADYSIdx.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\68bEfZA6FBu6lC5BaADYSIdx.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\68bEfZA6FBu6lC5BaADYSIdx.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\OYqxk9G3x4R05N4I0KLZXbXg.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Users\user\Pictures\OYqxk9G3x4R05N4I0KLZXbXg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\OYqxk9G3x4R05N4I0KLZXbXg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\OYqxk9G3x4R05N4I0KLZXbXg.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\AppData\Local\Temp\u69w.1.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\u69w.1.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\u69w.1.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\u69w.1.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\u69w.1.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\u69w.1.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\u69w.1.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\u69w.1.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\u69w.1.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\u69w.1.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\u69w.1.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\u69w.1.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe System information queried: FirmwareTableInformation
Source: C:\Users\user\Pictures\wr6XLbv7Ijp4TImjm1ouF4U2.exe System information queried: FirmwareTableInformation
Source: C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exe System information queried: FirmwareTableInformation
Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe System information queried: FirmwareTableInformation
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\Pictures\wr6XLbv7Ijp4TImjm1ouF4U2.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmp Binary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETTL EXPIREDUNINSTALLERVBOXSERVICEVMUSRVC.EXEVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEADDITIONALSALARM CLOCKAPPLICATIONASSISTQUEUEAUTHORITIESBAD ADDRESSBAD ARGSIZEBAD M VALUEBAD MESSAGEBAD TIMEDIVBITCOINS.SKBROKEN PIPECAMPAIGN_IDCGOCALL NILCLOBBERFREECLOSESOCKETCOMBASE.DLLCREATED BY CRYPT32.DLLE2.KEFF.ORGEMBEDDED/%SEXTERNAL IPFILE EXISTSFINAL TOKENFLOAT32NAN2FLOAT64NAN1FLOAT64NAN2FLOAT64NAN3GCCHECKMARKGENERALIZEDGET CDN: %WGETPEERNAMEGETSOCKNAMEGLOBALALLOCHTTP2CLIENTHTTP2SERVERHTTPS_PROXYI/O TIMEOUTLOCAL ERRORMSPANMANUALMETHODARGS(MINTRIGGER=MOVE %S: %WMSWSOCK.DLLNETPOLLINITNEXT SERVERNIL CONTEXTOPERA-PROXYORANNIS.COMOUT OF SYNCPARSE ERRORPROCESS: %SREFLECT.SETREFLECTOFFSRETRY-AFTERRUNTIME: P RUNTIME: G RUNTIME: P SCHEDDETAILSECHOST.DLLSECUR32.DLLSERVICE: %SSHELL32.DLLSHORT WRITESTACK TRACESTART PROXYTASKMGR.EXETLS: ALERT(TRACEALLOC(TRAFFIC UPDUNREACHABLEUSERENV.DLLVERSION.DLLVERSION=195WININET.DLLWUP_PROCESS (SENSITIVE) B (
Source: PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmp Binary or memory string: TOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG
Source: PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmp Binary or memory string: ... OMITTING ACCEPT-CHARSETAFTER EFIGUARDALLOCFREETRACEBAD ALLOCCOUNTBAD RECORD MACBAD RESTART PCBAD SPAN STATEBTC.USEBSV.COMCERT INSTALLEDCHECKSUM ERRORCONTENT-LENGTHCOULDN'T PATCHDATA TRUNCATEDDISTRIBUTOR_IDDRIVER REMOVEDERROR RESPONSEFILE TOO LARGEFINALIZER WAITGCSTOPTHEWORLDGET UPTIME: %WGETPROTOBYNAMEGOT SYSTEM PIDINITIAL SERVERINTERNAL ERRORINVALID SYNTAXIS A DIRECTORYKEY SIZE WRONGLEVEL 2 HALTEDLEVEL 3 HALTEDMEMPROFILERATEMULTIPARTFILESNEED MORE DATANIL ELEM TYPE!NO MODULE DATANO SUCH DEVICEOPEN EVENT: %WPARSE CERT: %WPROTOCOL ERRORREAD CERTS: %WREAD_FRAME_EOFREFLECT.VALUE.REMOVE APP: %WRUNTIME: FULL=RUNTIME: WANT=S.ALLOCCOUNT= SEMAROOT QUEUESERVER.VERSIONSTACK OVERFLOWSTART TASK: %WSTOPM SPINNINGSTORE64 FAILEDSYNC.COND.WAITTEXT FILE BUSYTIME.LOCATION(TIMEENDPERIODTOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe Special instruction interceptor: First address: CE3339 instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\file.exe Memory allocated: 27F37A40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 27F39070000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 27F59070000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: DB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: 2850000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: 4850000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: 7070000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: 6500000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: 83B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: 93B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: 96D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: B6D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: E6D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: F250000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: 15210000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: 16210000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: 1AAC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: 1BAC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: 22AC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: 22AC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: 23840000 memory reserve | memory write watch Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 300000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 599653 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 599438 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 599219 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 599108 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 598998 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 598891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 598672 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 598558 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 598451 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 598341 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 598216 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 598075 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 597963 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 597833 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 597687 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 597578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 597468 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 597359 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 597250 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 597140 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 597031 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 596919 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 596811 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 596676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 596562 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 596453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 596343 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 596231 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 596125 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 596015 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 595771 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 595640 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 595530 Jump to behavior
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Thread delayed: delay time: 300000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Window / User API: threadDelayed 6134 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Window / User API: threadDelayed 3641 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1066
Source: C:\Users\user\AppData\Local\Temp\u4dc.0.exe Window / User API: threadDelayed 381
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\bw9CU3SIyrt3JEs5ELMi3GM3.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\0bDSNbGYZjXnI1v06off3DYe.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Dropped PE file which has not been started: C:\Users\user\Pictures\2pjOwxxUjFNOdrkI94TdGraH.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\NpXiURSjfclxWgcUlkMD5eJ8.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Dropped PE file which has not been started: C:\Users\user\Pictures\0Flev5sTDyJ3duKpLfv5ka2Z.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\Retailer_prog[1].exe Jump to dropped file
Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2404231937382151588.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Dropped PE file which has not been started: C:\Users\user\Pictures\NDdJEWHR1zXBL7ACRBN1bJsT.exe Jump to dropped file
Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\Opera_109.0.5097.59_Autoupdate_x64[4].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UniversalInstaller.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\mozglue[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Dropped PE file which has not been started: C:\Users\user\Pictures\ugGFIzLnD3Xk89zL7XSYeDGh.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\IsEPzSszgrCYUPQvHPDrLyFU.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\ra8RK0HZwqsQsFKuKAOljczn.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\CzCAVDbVcAMwrBna8hMGEVEa.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\softokn3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Dropped PE file which has not been started: C:\Users\user\Pictures\0Bos1rjatCgxKDAqeI5gMROw.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\nss3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\appidpolicyconverter.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Fh7qhqxo9lqcq8fZJGpCZFiC.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\hK1ls0Ofsd3l9PBQOnBvFrY4.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\060[1].exe Jump to dropped file
Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404232137541\opera_package Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\GyEiPhmZ7wFSCYXwTgsPkluJ.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Dropped PE file which has not been started: C:\Users\user\Pictures\nMCfbx6hx0DUWGYJuDAMUAIJ.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\cad54ba5b01423b1af8ec10ab5719d97[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\3CfyWUQfEPMLfwgMw9RKzj9q.exe Jump to dropped file
Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404232138021\opera_package Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\setup[1].exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\Zsk2cFkeBC4UsceqkHvvw1iU.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\PurfH4hAOpbVHLEkly68a3iu.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Dropped PE file which has not been started: C:\Users\user\Pictures\0DWhHyQpdxsJp4gA1M0WjqnA.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\IiFh1rXOMpGB7BnxmUig3wkQ.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\urA10ZckYEEXLZZov5c00RO_.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\driverRemote_debug\UIxMarketPlugin.dll Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\Space_my[1].exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\HDCJLf7pYcxae1KSycA6A5eR.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\1CGwy9Tr3ZgPn871BvByOPxR.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\123p[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\sJ72s0PpaBNUmYNiHyJZFP9z.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\KPGhFRImEtP9uUl6Tmi54GCR.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\freebl3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Dropped PE file which has not been started: C:\Users\user\Pictures\jZXBdg5rull5j6LgJCWVgVos.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Dropped PE file which has not been started: C:\Users\user\Pictures\WjXPtwNxqwEpWrekfMAFvnPV.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\PuQVr13ObJzLxhvCkSK1EXB6.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\driverRemote_debug\relay.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\01ySZukOlUcP5NF6FSceJyuX.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\62dRoO3BlNtGMcLNCSYzZeqJ.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Dropped PE file which has not been started: C:\Users\user\Pictures\2YL4IgWcBHinkIA211vO9Bpr.exe Jump to dropped file
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\ARP.EXE Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\DQNVS06W\7725eaa6592c80f8124e769b4e8a07f7[1].exe Jump to dropped file
Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\Opera_109.0.5097.59_Autoupdate_x64[2].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Dropped PE file which has not been started: C:\Users\user\Pictures\tSUKH8w2Pv8sgaLWrFPRDr1i.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\aTFJoaTi8xkup68H3WyrFIbQ.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9H3TYFD3\790489aa[1].exe Jump to dropped file
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\hh.exe Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\s2mORnBj3q8nWakBtFzD2977.exe Jump to dropped file
Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2404231937415374172.dll Jump to dropped file
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\timeSync[1].exe Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe API coverage: 8.3 %
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe API coverage: 8.3 %
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe API coverage: 8.3 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -20291418481080494s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -599875s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7504 Thread sleep count: 6134 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7504 Thread sleep count: 3641 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7396 Thread sleep time: -2100000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -599766s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -599653s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -599547s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -599438s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -599328s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -599219s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -599108s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -598998s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -598891s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -598781s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -598672s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -598558s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -598451s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -598341s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -598216s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -598075s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -597963s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -597833s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -597687s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -597578s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -597468s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -597359s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -597250s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -597140s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -597031s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -596919s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -596811s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -596676s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -596562s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -596453s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -596343s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -596231s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -596125s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -596015s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -595771s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -595640s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7464 Thread sleep time: -595530s >= -30000s Jump to behavior
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe TID: 7840 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe TID: 7512 Thread sleep count: 331 > 30
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe TID: 7512 Thread sleep time: -66200s >= -30000s
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe TID: 7556 Thread sleep time: -600000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7748 Thread sleep count: 1066 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 332 Thread sleep count: 60 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7724 Thread sleep count: 206 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7920 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\u69w.0.exe TID: 1076 Thread sleep count: 333 > 30
Source: C:\Users\user\AppData\Local\Temp\u69w.0.exe TID: 1076 Thread sleep time: -1998000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\u4dc.0.exe TID: 8160 Thread sleep count: 381 > 30
Source: C:\Users\user\AppData\Local\Temp\u4dc.0.exe TID: 8160 Thread sleep time: -2286000s >= -30000s
Queries keyboard layouts
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\Users\user\AppData\Local\Temp\u69w.1.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Users\user\AppData\Local\Temp\u69w.1.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation
Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe File Volume queried: C:\Users\user\Desktop FullSizeInformation
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_0041D9E1 FindFirstFileExA, 4_2_0041D9E1
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_0041D9E1 FindFirstFileExA, 11_2_0041D9E1
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_05BCDC48 FindFirstFileExA, 11_2_05BCDC48
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_0041D9E1 FindFirstFileExA, 19_2_0041D9E1
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_05CFDC48 FindFirstFileExA, 19_2_05CFDC48
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_0041D9E1 FindFirstFileExA, 21_2_0041D9E1
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_041DDC48 FindFirstFileExA, 21_2_041DDC48
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6385D46F0 GetSystemInfo,GetNumaHighestNodeNumber,GetCurrentProcess,GetProcessGroupAffinity,GetLastError,GetCurrentProcess,GetProcessAffinityMask, 0_2_00007FF6385D46F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 300000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 599653 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 599438 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 599328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 599219 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 599108 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 598998 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 598891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 598672 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 598558 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 598451 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 598341 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 598216 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 598075 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 597963 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 597833 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 597687 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 597578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 597468 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 597359 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 597250 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 597140 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 597031 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 596919 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 596811 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 596676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 596562 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 596453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 596343 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 596231 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 596125 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 596015 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 595771 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 595640 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Thread delayed: delay time: 595530 Jump to behavior
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Thread delayed: delay time: 300000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe File opened: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe File opened: C:\Users\user\AppData\
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe File opened: C:\Users\user\
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe File opened: C:\Users\user\AppData\Local\
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe File opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe File opened: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe
Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmp Binary or memory string: ... omitting accept-charsetafter EfiGuardallocfreetracebad allocCountbad record MACbad restart PCbad span statebtc.usebsv.comcert installedchecksum errorcontent-lengthcouldn't patchdata truncateddistributor_iddriver removederror responsefile too largefinalizer waitgcstoptheworldget uptime: %wgetprotobynamegot system PIDinitial serverinternal errorinvalid syntaxis a directorykey size wronglevel 2 haltedlevel 3 haltedmemprofileratemultipartfilesneed more datanil elem type!no module datano such deviceopen event: %wparse cert: %wprotocol errorread certs: %wread_frame_eofreflect.Value.remove app: %wruntime: full=runtime: want=s.allocCount= semaRoot queueserver.versionstack overflowstart task: %wstopm spinningstore64 failedsync.Cond.Waittext file busytime.Location(timeEndPeriodtoo many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmp Binary or memory string: entersyscallexit status failed to %wfound av: %sgcBitsArenasgcpacertracegetaddrinfowgot TI tokenguid_machineharddecommithost is downhttp2debug=1http2debug=2illegal seekinjector.exeinstall_dateinvalid baseinvalid pathinvalid portinvalid slotiphlpapi.dllkernel32.dllmachine_guidmadvdontneedmax-forwardsmheapSpecialmsftedit.dllmspanSpecialnetapi32.dllno such hostnon-existentnot pollableoleaut32.dllout of rangeparse PE: %wproxyconnectrandautoseedrecv_goaway_reflect.Copyreleasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB globals, MB) workers= called from flushedWork idlethreads= in host name is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerContent-RangeDONT-FRAGMENTDeleteServiceDestroyWindowDistributorIDECDSAWithSHA1EnumProcessesExitWindowsExFQDN too longFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGeoIPFile %s
Source: PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmp Binary or memory string: DnsRecordListFreeENHANCE_YOUR_CALMEnumThreadWindowsFLE Standard TimeFailed DependencyGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWHEADER_TABLE_SIZEHKEY_CLASSES_ROOTHKEY_CURRENT_USERHTTP_1_1_REQUIREDIf-Modified-SinceIsTokenRestrictedLookupAccountSidWMESSAGE-INTEGRITYMoved PermanentlyOld_North_ArabianOld_South_ArabianOther_ID_ContinuePython-urllib/2.5QueryWorkingSetExRESERVATION-TOKENReadProcessMemoryRegLoadMUIStringWRtlGetCurrentPebSafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006A49000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006B79000.00000004.00000020.00020000.00000000.sdmp, u69w.1.exe, 00000023.00000000.1537903237.000000000041C000.00000020.00000001.01000000.0000001A.sdmp Binary or memory string: Datacenter without Hyper-V Core
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0
Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmp Binary or memory string: IP addressIsValidSidKeep-AliveKharoshthiLocalAllocLockFileExLogonUserWManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_TurkicOpenEventWOpenMutexWOpenThreadOther_MathPOSTALCODEParseAddr(ParseFloatPhoenicianProcessingPulseEventRIPEMD-160RST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieShowWindowTor uptimeUser-AgentVMSrvc.exeWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10Windows 11[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:^punct:][:^space:][:^upper:][:xdigit:]\\.\WinMon\patch.exe^{[\w-]+}$app_%d.txtatomicand8attr%d=%s cmd is nilcomplex128connectiondebug calldnsapi.dlldsefix.exedwmapi.dlle.keff.orgexecerrdotexitThreadexp masterfloat32nanfloat64nangetsockoptgoroutine http_proxyimage/avifimage/jpegimage/webpimpossibleindicationinvalid IPinvalidptrkeep-alivemSpanInUsemyhostnameno resultsnot a boolnot signednotifyListowner diedpowershellprl_cc.exeprofInsertres binderres masterresumptionrune <nil>runtime: gs.state = schedtracesemacquiresend stateset-cookiesetsockoptskipping: socks bindstackLarget.Kind == terminatedtext/plaintime.Date(time.Localtracefree(tracegc()
Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmp Binary or memory string: acceptactivechan<-closedcookiedirectdomainefenceempty exec: expectfamilygeoip6gopherhangupheaderinternip+netkilledlistenminutenetdnsnumberobjectoriginpopcntrdtscpreadatreasonremoverenamereturnrun-v3rune1 secondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1!0
Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmp Binary or memory string: (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00/api/cdn?/api/poll127.0.0.1244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticEVEN-PORTExecQueryFindCloseForbiddenGetDIBitsHex_DigitInheritedInstMatchInstRune1InterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanNot FoundOP_RETURNOSCaptionPalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSTUN addrSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseVBoxVideoWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:][:alpha:][:ascii:][:blank:][:cntrl:][:digit:][:graph:][:lower:][:print:][:punct:][:space:][:upper:]_outboundatomicor8attributeb.ooze.ccbad indirbus errorchallengechan sendcomplex64connectexcopystackcsrss.exectxt != 0d.nx != 0dns,filesecdsa.netempty urlfiles,dnsfn.48.orgfodhelperfork/execfuncargs(gdi32.dllhchanLeafimage/gifimage/pnginittraceinterfaceinterruptinvalid nipv6-icmplocalhostmSpanDeadnew tokennil errorntdll.dllole32.dllomitemptyop_returnpanicwaitpatch.exepclmulqdqpreemptedprintableprofBlockprotocol proxy.exepsapi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v
Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmp Binary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
Source: B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000002.1935720214.0000000005DC0000.00000004.00000020.00020000.00000000.sdmp, l0nXYBHJHVq6UHyy1YDO9fn3.exe, 0000001D.00000002.1950262474.0000000005EAF000.00000004.00000020.00020000.00000000.sdmp, l0nXYBHJHVq6UHyy1YDO9fn3.exe, 0000001D.00000002.1941782899.0000000004437000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware, Inc.0
Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmp Binary or memory string: too many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
Source: u69w.1.exe, 00000023.00000000.1537903237.000000000041C000.00000020.00000001.01000000.0000001A.sdmp Binary or memory string: VMWARE_VIRTUAL
Source: t7IXQJi6R3tWUMJ8f9cQzMWm.exe, 00000015.00000002.1930649503.00000000043AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`:@
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: noreply@vmware.com0
Source: u69w.1.exe, 00000023.00000002.1911027770.0000000000A22000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmp Binary or memory string: tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo = MB goal, flushGen for type gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= stream=%d sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday(%s.uuid.%s%s|%s%s|%s(BADINDEX), bound = , limit = -noprofile-uninstall.localhost/dev/stdin/etc/hosts/show-eula12207031256103515625: parsing :authorityAdditionalBad varintCampaignIDCancelIoExChorasmianClassCHAOSClassCSNETConnectionContent-IdCreateFileCreatePipeDSA-SHA256DeprecatedDevanagariDnsQuery_WECDSA-SHA1END_STREAMERROR-CODEException GC forced
Source: 0FR80IiNvxJZyXnpOgiDlYNV.exe, 00000024.00000001.2063500056.0000000000843000.00000040.00000001.01000000.0000001B.sdmp Binary or memory string: main.isRunningInsideVMWare
Source: B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000002.1918787360.00000000041ED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V C$
Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmp Binary or memory string: , i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.local.onion/%d-%s370000390625:31461<-chanAcceptAnswerArabicAugustBUTTONBasic BitBltBrahmiCANCELCONIN$CancelCarianChakmaCommonCookieCopticExpectFltMgrFormatFridayGOAWAYGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLengthLepchaLockedLycianLydianMondayPADDEDPcaSvcPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFWINDIRWanchoWinMonWinmonX25519Yezidi[]byte\??\%s\csrss\ufffd
Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006A49000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006B79000.00000004.00000020.00020000.00000000.sdmp, u69w.1.exe, 00000023.00000000.1537903237.000000000041C000.00000020.00000001.01000000.0000001A.sdmp Binary or memory string: Datacenter without Hyper-V Full
Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmp Binary or memory string: and got= max= ms, ptr tab= top=%s %q%s %s%s*%d%s/%s%s:%d%s=%s&#34;&#39;&amp;+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930.avif.html.jpeg.json.wasm.webp1.4.2156253.2.250001500025000350004500055000650512560015600278125:***@:path<nil>AdlamAprilBamumBatakBuhidCall ClassCountDograECDSAErrorFlagsFoundGetDCGreekHTTP/KhmerLatinLimbuLocalLstatMarchNONCENushuOghamOriyaOsageP-224P-256P-384P-521PGDSEREALMRangeRealmRunicSHA-1STermTakriTamilTypeAUSTARUUID=\u202] = (allowarrayatimebad nchdirchmodclosecsrssctimedeferfalsefaultfilesfloatgcinggeoipgnamegscanhchanhostshttpsimap2imap3imapsinit int16int32int64matchmheapmkdirmonthmtimentohspanicparsepgdsepop3sproxyrangermdirrouterune scav schedsdsetsleepslicesockssse41sse42ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...)
Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006A49000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006B79000.00000004.00000020.00020000.00000000.sdmp, u69w.1.exe, 00000023.00000000.1537903237.000000000041C000.00000020.00000001.01000000.0000001A.sdmp Binary or memory string: Enterprise without Hyper-V Full
Source: PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmp Binary or memory string: 100-continue127.0.0.1:%d127.0.0.1:53152587890625762939453125AUTHENTICATEBidi_ControlCIDR addressCONTINUATIONCfgMgr32.dllCoCreateGuidCoInitializeContent TypeContent-TypeCookie.ValueCreateEventWCreateMutexWDeleteObjectECDSA-SHA256ECDSA-SHA384ECDSA-SHA512ErrUnknownPCFindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempPathWGetUserGeoIDGlobalUnlockGlobal\csrssI'm a teapotInstAltMatchJoin_ControlLittleEndianLoadLibraryWLoadResourceLockResourceMax-ForwardsMeetei_MayekMime-VersionMulti-StatusNot ExtendedNot ModifiedNtCreateFileOpenServiceWPUSH_PROMISEPahawh_HmongRCodeRefusedRCodeSuccessReadConsoleWReleaseMutexReportEventWResumeThreadRevertToSelfRoInitializeS-1-5-32-544SERIALNUMBERSelectObjectServer ErrorSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTor mode setTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)-(.*)\\.\WinMonFSabi mismatchadvapi32.dllaltmatch -> anynotnl -> bad flushGenbad g statusbad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegc
Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006A49000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006B79000.00000004.00000020.00020000.00000000.sdmp, u69w.1.exe, 00000023.00000000.1537903237.000000000041C000.00000020.00000001.01000000.0000001A.sdmp Binary or memory string: Microsoft Hyper-V Server
Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmp Binary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTTL expiredUninstallerVBoxServiceVMUSrvc.exeVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exeadditionalsalarm clockapplicationassistQueueauthoritiesbad addressbad argSizebad m valuebad messagebad timedivbitcoins.skbroken pipecampaign_idcgocall nilclobberfreeclosesocketcombase.dllcreated by crypt32.dlle2.keff.orgembedded/%sexternal IPfile existsfinal tokenfloat32nan2float64nan1float64nan2float64nan3gccheckmarkgeneralizedget CDN: %wgetpeernamegetsocknameglobalAllochttp2clienthttp2serverhttps_proxyi/o timeoutlocal errormSpanManualmethodargs(minTrigger=move %s: %wmswsock.dllnetpollInitnext servernil contextopera-proxyorannis.comout of syncparse errorprocess: %sreflect.SetreflectOffsretry-afterruntime: P runtime: g runtime: p scheddetailsechost.dllsecur32.dllservice: %sshell32.dllshort writestack tracestart proxytaskmgr.exetls: alert(tracealloc(traffic updunreachableuserenv.dllversion.dllversion=195wininet.dllwup_process (sensitive) B (
Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006A49000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006B79000.00000004.00000020.00020000.00000000.sdmp, u69w.1.exe, 00000023.00000000.1537903237.000000000041C000.00000020.00000001.01000000.0000001A.sdmp Binary or memory string: QEMU_HARDU
Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmp Binary or memory string: GetActiveObjectGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetFirmwareTypeGetProcessTimesGetSecurityInfoGetStartupInfoWGlobal\qtxp9g8wHanifi_RohingyaICE-CONTROLLINGIdempotency-KeyImpersonateSelfInstall failureIsWindowUnicodeIsWindowVisibleIsWow64Process2Length RequiredLoadLibraryExALoadLibraryExWNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
Source: svchost.exe, 00000008.00000003.1378683113.000002127EC44000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006A49000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006B79000.00000004.00000020.00020000.00000000.sdmp, u69w.1.exe, 00000023.00000000.1537903237.000000000041C000.00000020.00000001.01000000.0000001A.sdmp Binary or memory string: Standard without Hyper-V Full
Source: PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmp Binary or memory string: SafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006A49000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006B79000.00000004.00000020.00020000.00000000.sdmp, u69w.1.exe, 00000023.00000000.1537903237.000000000041C000.00000020.00000001.01000000.0000001A.sdmp Binary or memory string: Enterprise without Hyper-V Core
Source: PA8JWMmRYiQsN7iqTjOvjsbW.exe, 00000020.00000001.1883456337.0000000000400000.00000040.00000001.01000000.00000017.sdmp, zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmp Binary or memory string: &gt;&lt;'\'') = ) m=+Inf-Inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0x%x1.1110803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHostJulyJuneLEAFLisuMiaoModiNZDTNZSTNameNewaPINGPOSTPathQEMUROOTSASTSTARSendStatTempThaiTypeUUID"%s"\rss\smb\u00
Source: u69w.1.exe, 00000023.00000002.1911027770.0000000000A22000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Qg_Appv5.exe, 00000018.00000002.2204224716.000000000739E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0/
Source: H6XhhPCeuwAb2QQK3C3B1Lwl.exe, 0000001B.00000002.1937881733.00000000040ED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`J
Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006A49000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006B79000.00000004.00000020.00020000.00000000.sdmp, u69w.1.exe, 00000023.00000000.1537903237.000000000041C000.00000020.00000001.01000000.0000001A.sdmp Binary or memory string: 6without Hyper-V for Windows Essential Server Solutions
Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmp Binary or memory string: Not ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000002.2263801025.000000000412D000.00000004.00000020.00020000.00000000.sdmp, 6dpl9L7LbyabhVQNXZXXKjGL.exe, 00000022.00000002.2121441955.000000000412D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`:
Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmp Binary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dllauthorizationbad flushGen bad map statebtc.cihar.combtc.xskyx.netcache-controlcontent-rangecouldn't polldalTLDpSugct?data is emptydouble unlockemail addressempty integerexchange fullfatal error: gethostbynamegetservbynamegzip, deflateif-none-matchignoring fileimage/svg+xmlinvalid ASN.1invalid UTF-8invalid base kernel32.dllkey expansionlame referrallast-modifiedlevel 3 resetload64 failedmaster secretmin too largename is emptynil stackbasenot a Float32open file: %wout of memoryparallels: %wparsing time powrprof.dllprl_tools.exeprofMemActiveprofMemFutureread EULA: %wrebooting nowruntime: seq=runtime: val=service stateset event: %wsigner is nilsocks connectsrmount errortimer expiredtraceStackTabtrailing dataunimplementedunsupported: user canceledvalue method virtualpc: %wxadd64 failedxchg64 failed}
Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmp Binary or memory string: unixpacketunknown pcuser-agentuser32.dllvmusbmousevmware: %wws2_32.dll of size (targetpc= , plugin: ErrCode=%v KiB work, bytes ...
Source: svchost.exe, 00000006.00000002.1735098946.000001D257602000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmp Binary or memory string: VersionVirtualWSARecvWSASend"%s" %stypes value=abortedalt -> answersany -> booleancharsetchunkedcmd.execonnectconsolecpu: %scpuprofderiveddriversexpiresfloat32float64forcegcgctracehead = http://invalidlog.txtlookup messageminpc= nil keynop -> number pacer: panic: readdirrefererrefreshrequestrunningserial:server=signal svc_versyscalltor.exetraileruintptrunknownupgradeversionvmmousevpcuhubwaitingwindowswsarecvwsasendwup_verxen: %wxennet6 bytes, data=%q etypes incr=%v is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= ping=%q pointer stack=[ status %!Month(%02d%02d%s %s:%d%s: 0x%x-cleanup2.5.4.102.5.4.112.5.4.1748828125?4#?'1#0AcceptExAcceptedAllocateAltitudeArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeClassANYConflictContinueCurveID(CyrillicDNS nameDSA-SHA1DecemberDefenderDeleteDCDuployanEULA.txtEqualSidEthiopicExtenderFebruaryFirewallFullPathGeorgianGetOEMCPGoStringGujaratiGurmukhiHTTP/1.1HTTP/2.0HiraganaInstFailInstRuneIsWindowJavaneseKatakanaKayah_LiLIFETIMELinear_ALinear_BLocationLsaCloseMD5+SHA1MahajaniNO_ERRORNO_PROXYNovemberOl_ChikiPRIORITYPROGRESSParseIntPersoconPhags_PaQuestionReadFileReceivedSETTINGSSHA1-RSASHA3-224SHA3-256SHA3-384SHA3-512SOFTWARESaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUSERHASHUSERNAMEUgariticVBoxWddmWSAIoctlWinmonFSWmiPrvSE[::1]:53[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnum_gatewayacceptexaddress bad instcgocheckcontinuecs deadlockdefault:dial: %wdnsquerydurationeax ebp ebx ecx edi edx eflags eip embeddedesi esp execwaitexporterf is nilfinishedfs gs hijackedhttp/1.1https://if-matchif-rangeinfinityinjectorinvalid linkpathlocationmac_addrmountvolmsvmmoufno anodeno-cacheno_proxypollDescreadfromrecvfromreflect.runnableruntime.rwmutexRrwmutexWscavengeshutdownstrconv.taskkilltor_modetraceBuftrigger=unixgramunknown(usernamevmmemctlvmx_svgawalk: %wwsaioctlwuauservx509sha1yuio.top (forced) B exp.) B work ( blocked= in use)
Source: zUOgRazdYnb35XHU4UIsV9Yc.exe, 00000021.00000001.1945506899.0000000000400000.00000040.00000001.01000000.00000018.sdmp Binary or memory string: m=] = ] n=allgallparchasn1avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ...
Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006A49000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006B79000.00000004.00000020.00020000.00000000.sdmp, u69w.1.exe, 00000023.00000000.1537903237.000000000041C000.00000020.00000001.01000000.0000001A.sdmp Binary or memory string: Standard without Hyper-V Core
Source: B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000002.1918787360.00000000041ED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Aapi.dllHyper-V RAW`Q$
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe System information queried: ModuleInformation
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Process information queried: ProcessInformation

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Pictures\wr6XLbv7Ijp4TImjm1ouF4U2.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exe Thread information set: HideFromDebugger
Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe Open window title or class name: regmonclass
Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe Open window title or class name: ollydbg
Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe Open window title or class name: filemonclass
Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks if the current process is being debugged
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Process queried: DebugPort
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Process queried: DebugObjectHandle
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Process queried: DebugPort
Source: C:\Users\user\Pictures\wr6XLbv7Ijp4TImjm1ouF4U2.exe Process queried: DebugPort
Source: C:\Users\user\Pictures\wr6XLbv7Ijp4TImjm1ouF4U2.exe Process queried: DebugObjectHandle
Source: C:\Users\user\Pictures\wr6XLbv7Ijp4TImjm1ouF4U2.exe Process queried: DebugPort
Source: C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exe Process queried: DebugPort
Source: C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exe Process queried: DebugObjectHandle
Source: C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exe Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe Process queried: DebugPort
Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe Process queried: DebugObjectHandle
Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe Process queried: DebugPort
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_0041919A LdrInitializeThunk, 4_2_0041919A
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00409A73
Contains functionality to read the PEB
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_004139E7 mov eax, dword ptr fs:[00000030h] 4_2_004139E7
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_040CC5B3 push dword ptr fs:[00000030h] 4_2_040CC5B3
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_05BD0D90 mov eax, dword ptr fs:[00000030h] 4_2_05BD0D90
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_05BD092B mov eax, dword ptr fs:[00000030h] 4_2_05BD092B
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_004139E7 mov eax, dword ptr fs:[00000030h] 11_2_004139E7
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_0411C5B3 push dword ptr fs:[00000030h] 11_2_0411C5B3
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_05BB0D90 mov eax, dword ptr fs:[00000030h] 11_2_05BB0D90
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_05BC3C4E mov eax, dword ptr fs:[00000030h] 11_2_05BC3C4E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_05BB092B mov eax, dword ptr fs:[00000030h] 11_2_05BB092B
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_004139E7 mov eax, dword ptr fs:[00000030h] 19_2_004139E7
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_0418C5B3 push dword ptr fs:[00000030h] 19_2_0418C5B3
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_05CE0D90 mov eax, dword ptr fs:[00000030h] 19_2_05CE0D90
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_05CF3C4E mov eax, dword ptr fs:[00000030h] 19_2_05CF3C4E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_05CE092B mov eax, dword ptr fs:[00000030h] 19_2_05CE092B
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_004139E7 mov eax, dword ptr fs:[00000030h] 21_2_004139E7
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_041D3C4E mov eax, dword ptr fs:[00000030h] 21_2_041D3C4E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_041C0D90 mov eax, dword ptr fs:[00000030h] 21_2_041C0D90
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_041C092B mov eax, dword ptr fs:[00000030h] 21_2_041C092B
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_0434C5B3 push dword ptr fs:[00000030h] 21_2_0434C5B3
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe Code function: 24_2_0040F124 mov eax, dword ptr fs:[00000030h] 24_2_0040F124
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_00420C1A GetProcessHeap, 4_2_00420C1A
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF6385C6E20 RtlAddVectoredExceptionHandler, 0_2_00007FF6385C6E20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF63862B514 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF63862B514
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00409A73
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_00409C06 SetUnhandledExceptionFilter, 4_2_00409C06
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_00409EBE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_00409EBE
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_0041073B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_0041073B
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_00409A73
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_00409C06 SetUnhandledExceptionFilter, 11_2_00409C06
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_00409EBE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_00409EBE
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_0041073B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_0041073B
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_05BB9CDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_05BB9CDA
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_05BB9E6D SetUnhandledExceptionFilter, 11_2_05BB9E6D
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_05BC09A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_05BC09A2
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: 11_2_05BBA125 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_05BBA125
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 19_2_00409A73
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_00409C06 SetUnhandledExceptionFilter, 19_2_00409C06
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_00409EBE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 19_2_00409EBE
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_0041073B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 19_2_0041073B
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_05CE9CDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 19_2_05CE9CDA
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_05CE9E6D SetUnhandledExceptionFilter, 19_2_05CE9E6D
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_05CF09A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 19_2_05CF09A2
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: 19_2_05CEA125 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 19_2_05CEA125
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 21_2_00409A73
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_00409C06 SetUnhandledExceptionFilter, 21_2_00409C06
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_00409EBE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 21_2_00409EBE
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_0041073B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 21_2_0041073B
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_041C9CDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 21_2_041C9CDA
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_041C9E6D SetUnhandledExceptionFilter, 21_2_041C9E6D
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_041CA125 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 21_2_041CA125
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: 21_2_041D09A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 21_2_041D09A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\file.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write Jump to behavior
Disables Windows Defender (deletes autostart)
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Registry value deleted: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{AF4B7D10-C04F-40BD-A9F0-1F789BBF0FCA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware
Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe Registry value deleted: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{3FAACE9B-0B9D-4D37-90B5-C9D5F39DABA7}Machine\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exe NtQuerySystemInformation: Indirect: 0x1406173E4
Source: C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exe NtSetInformationThread: Indirect: 0x14066CAF7
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe NtQuerySystemInformation: Direct from: 0x456867
Source: C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exe NtQueryInformationProcess: Indirect: 0x140662896
Source: C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exe NtQueryInformationProcess: Indirect: 0x140683C42
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe NtQuerySystemInformation: Direct from: 0x6169D145
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\file.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base address: 400000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 404000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 406000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 6C2008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe "C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe "C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe "C:\Users\user\Pictures\i7gUU3MlvTwbsK8r3hAjzW0p.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe "C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\l0nXYBHJHVq6UHyy1YDO9fn3.exe "C:\Users\user\Pictures\l0nXYBHJHVq6UHyy1YDO9fn3.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\wr6XLbv7Ijp4TImjm1ouF4U2.exe "C:\Users\user\Pictures\wr6XLbv7Ijp4TImjm1ouF4U2.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\PA8JWMmRYiQsN7iqTjOvjsbW.exe "C:\Users\user\Pictures\PA8JWMmRYiQsN7iqTjOvjsbW.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\zUOgRazdYnb35XHU4UIsV9Yc.exe "C:\Users\user\Pictures\zUOgRazdYnb35XHU4UIsV9Yc.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exe "C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\0FR80IiNvxJZyXnpOgiDlYNV.exe "C:\Users\user\Pictures\0FR80IiNvxJZyXnpOgiDlYNV.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\68bEfZA6FBu6lC5BaADYSIdx.exe "C:\Users\user\Pictures\68bEfZA6FBu6lC5BaADYSIdx.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exe "C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exe "C:\Users\user\Pictures\ka1rT1Ln7XhH1aQSgOeo3013.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exe "C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe "C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe" --silent --allusers=0 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\OYqxk9G3x4R05N4I0KLZXbXg.exe "C:\Users\user\Pictures\OYqxk9G3x4R05N4I0KLZXbXg.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe "C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe" --silent --allusers=0 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Process created: C:\Users\user\AppData\Local\Temp\u5v8.0.exe "C:\Users\user\AppData\Local\Temp\u5v8.0.exe" Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Process created: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe "C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe" Jump to behavior
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Process created: C:\Users\user\AppData\Local\Temp\u69w.0.exe "C:\Users\user\AppData\Local\Temp\u69w.0.exe"
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Process created: C:\Users\user\AppData\Local\Temp\u69w.1.exe "C:\Users\user\AppData\Local\Temp\u69w.1.exe"
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Process created: C:\Windows\SysWOW64\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
Source: C:\Users\user\AppData\Local\Temp\7zS1198.tmp\Install.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bWycNackLSywaqkmgR" /SC once /ST 21:38:00 /RU "SYSTEM" /TR "\"C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe\" em /VNsite_idnLd 385118 /S" /V1 /F
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Process created: C:\Users\user\AppData\Local\Temp\u4dc.0.exe "C:\Users\user\AppData\Local\Temp\u4dc.0.exe"
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Process created: unknown unknown
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Process created: unknown unknown
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exe "C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exe"
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\H6XhhPCeuwAb2QQK3C3B1Lwl.exe Process created: unknown unknown
Source: C:\Users\user\Pictures\l0nXYBHJHVq6UHyy1YDO9fn3.exe Process created: unknown unknown
Source: C:\Users\user\Pictures\l0nXYBHJHVq6UHyy1YDO9fn3.exe Process created: unknown unknown
Source: C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exe Process created: unknown unknown
Source: C:\Users\user\Pictures\6dpl9L7LbyabhVQNXZXXKjGL.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\JMPZeWvHhArmqROvY\NwfPJCCpQqPYDzK\koEMGMU.exe Process created: unknown unknown
Source: C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exe Process created: unknown unknown
Source: C:\Users\user\Pictures\ikL90ODaFTS7N6FbOffM2D1B.exe Process created: unknown unknown
Source: C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exe Process created: unknown unknown
Source: C:\Users\user\Pictures\G3pV8gTsWQBVrGpK4ooPrlxI.exe Process created: unknown unknown
Source: C:\Users\user\Pictures\vU4jsQbpuBQoMcavMx7b1jzX.exe Process created: unknown unknown
Source: C:\Users\user\Pictures\nxx62MIcAq1mLUazdUlt2emv.exe Process created: unknown unknown
Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006A49000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006B79000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: TrayNotifyWndShell_TrayWnd
Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006A49000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006B79000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWndtooltips_class32SVWU
Source: VtmtVe55Jwcf3rOGIU1yezyh.exe, 00000004.00000003.1624901520.0000000006A49000.00000004.00000020.00020000.00000000.sdmp, yPlMO3UKyKRvoEYPhbGYOyT0.exe, 0000000B.00000003.1635257524.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, B46afLBMY0mokUgVdA9CQR52.exe, 00000013.00000003.1674965384.0000000006B79000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWndtooltips_class32S
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: 4_2_00409D1B cpuid 4_2_00409D1B
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 4_2_00420063
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: GetLocaleInfoW, 4_2_004208CE
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: EnumSystemLocalesW, 4_2_004170F1
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 4_2_0042099B
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: EnumSystemLocalesW, 4_2_004202DB
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: EnumSystemLocalesW, 4_2_00420326
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: EnumSystemLocalesW, 4_2_004203C1
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 4_2_0042044E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: GetLocaleInfoW, 4_2_004174E4
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: GetLocaleInfoW, 4_2_0042069E
Source: C:\Users\user\Pictures\VtmtVe55Jwcf3rOGIU1yezyh.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 4_2_004207C7
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 11_2_00420063
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: GetLocaleInfoW, 11_2_004208CE
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: EnumSystemLocalesW, 11_2_004170F1
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 11_2_0042099B
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: EnumSystemLocalesW, 11_2_004202DB
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: EnumSystemLocalesW, 11_2_00420326
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: EnumSystemLocalesW, 11_2_004203C1
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 11_2_0042044E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: GetLocaleInfoW, 11_2_004174E4
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: GetLocaleInfoW, 11_2_0042069E
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 11_2_004207C7
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: EnumSystemLocalesW, 11_2_05BD058D
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: EnumSystemLocalesW, 11_2_05BD0542
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 11_2_05BD0C02
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: GetLocaleInfoW, 11_2_05BC774B
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: EnumSystemLocalesW, 11_2_05BD0628
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: GetLocaleInfoW, 11_2_05BD0905
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: GetLocaleInfoW, 11_2_05BD0903
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: GetLocaleInfoW, 11_2_05BD0B35
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: EnumSystemLocalesW, 11_2_05BC7358
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 11_2_05BD02CA
Source: C:\Users\user\Pictures\yPlMO3UKyKRvoEYPhbGYOyT0.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 11_2_05BD0A2E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 19_2_00420063
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: GetLocaleInfoW, 19_2_004208CE
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: EnumSystemLocalesW, 19_2_004170F1
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 19_2_0042099B
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: EnumSystemLocalesW, 19_2_004202DB
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: EnumSystemLocalesW, 19_2_00420326
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: EnumSystemLocalesW, 19_2_004203C1
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 19_2_0042044E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: GetLocaleInfoW, 19_2_004174E4
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: GetLocaleInfoW, 19_2_0042069E
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 19_2_004207C7
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: EnumSystemLocalesW, 19_2_05D0058D
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: EnumSystemLocalesW, 19_2_05D00542
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 19_2_05D00C02
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: GetLocaleInfoW, 19_2_05CF774B
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: EnumSystemLocalesW, 19_2_05D00628
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: GetLocaleInfoW, 19_2_05D00903
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: GetLocaleInfoW, 19_2_05D00905
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: EnumSystemLocalesW, 19_2_05CF7358
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: GetLocaleInfoW, 19_2_05D00B35
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 19_2_05D002CA
Source: C:\Users\user\Pictures\B46afLBMY0mokUgVdA9CQR52.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 19_2_05D00A2E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 21_2_00420063
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: GetLocaleInfoW, 21_2_004208CE
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: EnumSystemLocalesW, 21_2_004170F1
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 21_2_0042099B
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: EnumSystemLocalesW, 21_2_004202DB
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: EnumSystemLocalesW, 21_2_00420326
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: EnumSystemLocalesW, 21_2_004203C1
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 21_2_0042044E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: GetLocaleInfoW, 21_2_004174E4
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: GetLocaleInfoW, 21_2_0042069E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 21_2_004207C7
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 21_2_041E0C02
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: EnumSystemLocalesW, 21_2_041E0542
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: EnumSystemLocalesW, 21_2_041E058D
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: EnumSystemLocalesW, 21_2_041E0628
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: GetLocaleInfoW, 21_2_041D774B
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: GetLocaleInfoW, 21_2_041E0905
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: GetLocaleInfoW, 21_2_041E0903
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 21_2_041E0A2E
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 21_2_041E02CA
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: GetLocaleInfoW, 21_2_041E0B35
Source: C:\Users\user\Pictures\t7IXQJi6R3tWUMJ8f9cQzMWm.exe Code function: EnumSystemLocalesW, 21_2_041D7358
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\u69w.0.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\u69w.0.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Queries the installation date of Windows
Source: C:\Users\user\AppData\Local\Temp\u69w.1.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\u69w.0.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\u69w.0.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe Queries volume information: C:\Users\user\AppData\Local\Temp\ff086fda VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\u4dc.0.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Documents\SimpleAdobe\UWxz0MPLJemfxFfuxrp6E5vU.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF63862B180 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF63862B180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender real time protection (registry)
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{AF4B7D10-C04F-40BD-A9F0-1F789BBF0FCA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Registry value created: Exclusions_Extensions 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{AF4B7D10-C04F-40BD-A9F0-1F789BBF0FCA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender Registry value created: DisableAntiSpyware 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{AF4B7D10-C04F-40BD-A9F0-1F789BBF0FCA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender Registry value created: DisableRoutinelyTakingAction 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{AF4B7D10-C04F-40BD-A9F0-1F789BBF0FCA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableBehaviorMonitoring 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{AF4B7D10-C04F-40BD-A9F0-1F789BBF0FCA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableOnAccessProtection 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{AF4B7D10-C04F-40BD-A9F0-1F789BBF0FCA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableScanOnRealtimeEnable 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{AF4B7D10-C04F-40BD-A9F0-1F789BBF0FCA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{AF4B7D10-C04F-40BD-A9F0-1F789BBF0FCA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{AF4B7D10-C04F-40BD-A9F0-1F789BBF0FCA}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRawWriteNotification 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{3FAACE9B-0B9D-4D37-90B5-C9D5F39DABA7}Machine\SOFTWARE\Policies\Microsoft\Windows Defender Registry value created: DisableAntiSpyware 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{3FAACE9B-0B9D-4D37-90B5-C9D5F39DABA7}Machine\SOFTWARE\Policies\Microsoft\Windows Defender Registry value created: DisableRoutinelyTakingAction 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{3FAACE9B-0B9D-4D37-90B5-C9D5F39DABA7}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Registry value created: Exclusions_Extensions 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{3FAACE9B-0B9D-4D37-90B5-C9D5F39DABA7}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableBehaviorMonitoring 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{3FAACE9B-0B9D-4D37-90B5-C9D5F39DABA7}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableOnAccessProtection 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{3FAACE9B-0B9D-4D37-90B5-C9D5F39DABA7}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableScanOnRealtimeEnable 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{3FAACE9B-0B9D-4D37-90B5-C9D5F39DABA7}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{3FAACE9B-0B9D-4D37-90B5-C9D5F39DABA7}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{3FAACE9B-0B9D-4D37-90B5-C9D5F39DABA7}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRawWriteNotification 1
Exclude list of file types from scheduled, custom, and real-time scanning
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe Registry value created: Exclusions_Extensions 1
Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe Registry value created: Exclusions_Extensions 1
Modifies Group Policy settings
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe File written: C:\Windows\System32\GroupPolicy\gpt.ini
AV process strings found (often used to terminate AV products)
Source: 9wqoiPpK0NIQEBygxfm6h42G.exe, 00000005.00000003.1495305940.00000000006CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Pictures\9wqoiPpK0NIQEBygxfm6h42G.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Glupteba
Source: Yara match File source: 36.1.0FR80IiNvxJZyXnpOgiDlYNV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.1.PA8JWMmRYiQsN7iqTjOvjsbW.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.1.zUOgRazdYnb35XHU4UIsV9Yc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 43.1.OYqxk9G3x4R05N4I0KLZXbXg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.1.68bEfZA6FBu6lC5BaADYSIdx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000001.2063500056.0000000000843000.00000040.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000001.1883456337.0000000000843000.00000040.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000001.1945506899.0000000000843000.00000040.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000001.1972234564.0000000000843000.00000040.00000001.01000000.00000022.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000001.2017532049.0000000000843000.00000040.00000001.01000000.0000001D.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PA8JWMmRYiQsN7iqTjOvjsbW.exe PID: 8176, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: zUOgRazdYnb35XHU4UIsV9Yc.exe PID: 7204, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 0FR80IiNvxJZyXnpOgiDlYNV.exe PID: 4252, type: MEMORYSTR
Yara detected Mars stealer
Source: Yara match File source: 10.3.u5v8.0.exe.4200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.u69w.0.exe.41d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.3.u4dc.0.exe.41e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.u5v8.0.exe.4200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.u69w.0.exe.41d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.3.u4dc.0.exe.41e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001F.00000003.1544893473.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.1398448952.0000000004200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.1454159777.00000000041D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected PureLog Stealer
Source: Yara match File source: C:\Users\user\Documents\SimpleAdobe\KPGhFRImEtP9uUl6Tmi54GCR.exe, type: DROPPED
Yara detected Stealc
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected Vidar stealer
Source: Yara match File source: 10.3.u5v8.0.exe.4200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.u69w.0.exe.41d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.3.u4dc.0.exe.41e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.u5v8.0.exe.4200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.u69w.0.exe.41d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.3.u4dc.0.exe.41e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001F.00000003.1544893473.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.1398448952.0000000004200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.1454159777.00000000041D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected zgRAT
Source: Yara match File source: C:\Users\user\Documents\SimpleAdobe\KPGhFRImEtP9uUl6Tmi54GCR.exe, type: DROPPED
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cookies.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\u69w.0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cookies.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\places.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\Documents\SimpleAdobe\F0mqqGl9pK9gdOm2cnZsC1mR.exe File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\places.sqlite-wal
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Users\user\AppData\Local\Temp\u5v8.0.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004

Remote Access Functionality
barindex
Yara detected Glupteba
Source: Yara match File source: 36.1.0FR80IiNvxJZyXnpOgiDlYNV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.1.PA8JWMmRYiQsN7iqTjOvjsbW.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.1.zUOgRazdYnb35XHU4UIsV9Yc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 43.1.OYqxk9G3x4R05N4I0KLZXbXg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.1.68bEfZA6FBu6lC5BaADYSIdx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000001.2063500056.0000000000843000.00000040.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000001.1883456337.0000000000843000.00000040.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000001.1945506899.0000000000843000.00000040.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: 0000002B.00000001.1972234564.0000000000843000.00000040.00000001.01000000.00000022.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000001.2017532049.0000000000843000.00000040.00000001.01000000.0000001D.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PA8JWMmRYiQsN7iqTjOvjsbW.exe PID: 8176, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: zUOgRazdYnb35XHU4UIsV9Yc.exe PID: 7204, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 0FR80IiNvxJZyXnpOgiDlYNV.exe PID: 4252, type: MEMORYSTR
Yara detected Mars stealer
Source: Yara match File source: 10.3.u5v8.0.exe.4200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.u69w.0.exe.41d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.3.u4dc.0.exe.41e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.u5v8.0.exe.4200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.u69w.0.exe.41d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.3.u4dc.0.exe.41e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001F.00000003.1544893473.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.1398448952.0000000004200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.1454159777.00000000041D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected PureLog Stealer
Source: Yara match File source: C:\Users\user\Documents\SimpleAdobe\KPGhFRImEtP9uUl6Tmi54GCR.exe, type: DROPPED
Yara detected Stealc
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected Vidar stealer
Source: Yara match File source: 10.3.u5v8.0.exe.4200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.u69w.0.exe.41d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.3.u4dc.0.exe.41e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.u5v8.0.exe.4200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.u69w.0.exe.41d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.3.u4dc.0.exe.41e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001F.00000003.1544893473.00000000041E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.1398448952.0000000004200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.1454159777.00000000041D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected zgRAT
Source: Yara match File source: C:\Users\user\Documents\SimpleAdobe\KPGhFRImEtP9uUl6Tmi54GCR.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1430552 Sample: file.exe Startdate: 23/04/2024 Architecture: WINDOWS Score: 100 154 Found malware configuration 2->154 156 Malicious sample detected (through community Yara rule) 2->156 158 Antivirus detection for dropped file 2->158 160 15 other signatures 2->160 12 file.exe 1 2->12         started        15 cmd.exe 2->15         started        17 koEMGMU.exe 2->17         started        20 3 other processes 2->20 process3 file4 196 Writes to foreign memory regions 12->196 198 Allocates memory in foreign processes 12->198 200 Sample uses process hollowing technique 12->200 202 Injects a PE file into a foreign processes 12->202 22 AddInProcess32.exe 15 405 12->22         started        27 conhost.exe 12->27         started        29 H6XhhPCeuwAb2QQK3C3B1Lwl.exe 15->29         started        31 conhost.exe 15->31         started        78 C:\Windows\Temp\...\JUnCNhn.exe, PE32 17->78 dropped signatures5 process6 dnsIp7 142 107.167.110.211 OPERASOFTWAREUS United States 22->142 144 107.167.110.216 OPERASOFTWAREUS United States 22->144 146 13 other IPs or domains 22->146 116 C:\Users\...\zWhvfqZrtT7TUoWor4gRArPv.exe, PE32 22->116 dropped 118 C:\Users\...\zUOgRazdYnb35XHU4UIsV9Yc.exe, PE32 22->118 dropped 120 C:\Users\...\zFZkiprzkq8Ae7mkklwscu5a.exe, MS-DOS 22->120 dropped 126 246 other malicious files 22->126 dropped 184 Installs new ROOT certificates 22->184 186 Drops script or batch files to the startup folder 22->186 188 Creates HTML files with .exe extension (expired dropper behavior) 22->188 190 Writes many files with high entropy 22->190 33 9wqoiPpK0NIQEBygxfm6h42G.exe 22->33         started        38 VtmtVe55Jwcf3rOGIU1yezyh.exe 1 4 22->38         started        40 i7gUU3MlvTwbsK8r3hAjzW0p.exe 22->40         started        42 16 other processes 22->42 122 C:\Users\user\AppData\Local\Temp\u2r8.1.exe, PE32 29->122 dropped 124 C:\Users\user\AppData\Local\Temp\u2r8.0.exe, PE32 29->124 dropped 192 Detected unpacking (changes PE section rights) 29->192 194 Detected unpacking (overwrites its own PE header) 29->194 file8 signatures9 process10 dnsIp11 128 87.240.137.164 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 33->128 130 95.142.206.0 VKONTAKTE-SPB-AShttpvkcomRU Russian Federation 33->130 136 18 other IPs or domains 33->136 80 C:\Users\...\urA10ZckYEEXLZZov5c00RO_.exe, PE32 33->80 dropped 82 C:\Users\...\s2mORnBj3q8nWakBtFzD2977.exe, PE32 33->82 dropped 84 C:\Users\...\Zsk2cFkeBC4UsceqkHvvw1iU.exe, PE32 33->84 dropped 90 22 other malicious files 33->90 dropped 162 Query firmware table information (likely to detect VMs) 33->162 164 Drops PE files to the document folder of the user 33->164 166 Creates HTML files with .exe extension (expired dropper behavior) 33->166 180 8 other signatures 33->180 44 F0mqqGl9pK9gdOm2cnZsC1mR.exe 33->44         started        47 UWxz0MPLJemfxFfuxrp6E5vU.exe 33->47         started        138 3 other IPs or domains 38->138 92 3 other malicious files 38->92 dropped 168 Detected unpacking (changes PE section rights) 38->168 170 Detected unpacking (overwrites its own PE header) 38->170 50 u5v8.0.exe 38->50         started        53 Qg_Appv5.exe 38->53         started        94 4 other malicious files 40->94 dropped 55 Install.exe 40->55         started        132 107.167.110.218 OPERASOFTWAREUS United States 42->132 134 107.167.125.189 OPERASOFTWAREUS United States 42->134 140 2 other IPs or domains 42->140 86 C:\Users\user\AppData\Local\Temp\u69w.1.exe, PE32 42->86 dropped 88 C:\Users\user\AppData\Local\Temp\u69w.0.exe, PE32 42->88 dropped 96 20 other malicious files 42->96 dropped 172 Found Tor onion address 42->172 174 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 42->174 176 Writes many files with high entropy 42->176 178 Found direct / indirect Syscall (likely to bypass EDR) 42->178 57 u69w.0.exe 42->57         started        59 u69w.1.exe 42->59         started        61 u4dc.0.exe 42->61         started        file12 signatures13 process14 dnsIp15 204 Query firmware table information (likely to detect VMs) 44->204 206 Tries to detect sandboxes and other dynamic analysis tools (window names) 44->206 208 Disables Windows Defender (deletes autostart) 44->208 226 7 other signatures 44->226 148 193.233.132.253 FREE-NET-ASFREEnetEU Russian Federation 47->148 150 172.67.75.166 CLOUDFLARENETUS United States 47->150 210 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 47->210 152 185.172.128.76 NADYMSS-ASRU Russian Federation 50->152 98 C:\Users\user\AppData\...\softokn3[1].dll, PE32 50->98 dropped 100 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 50->100 dropped 102 C:\Users\user\AppData\...\mozglue[1].dll, PE32 50->102 dropped 114 9 other files (5 malicious) 50->114 dropped 212 Tries to steal Mail credentials (via file / registry access) 50->212 214 Tries to harvest and steal ftp login credentials 50->214 216 Tries to harvest and steal browser information (history, passwords, etc) 50->216 228 2 other signatures 50->228 104 C:\Users\user\AppData\Local\...\relay.dll, PE32 53->104 dropped 106 C:\Users\user\...\UniversalInstaller.exe, PE32 53->106 dropped 108 C:\Users\user\AppData\...\UIxMarketPlugin.dll, PE32 53->108 dropped 110 C:\Users\user\AppData\Local\Temp\ff086fda, PNG 53->110 dropped 218 Writes many files with high entropy 53->218 220 Found direct / indirect Syscall (likely to bypass EDR) 53->220 112 C:\Users\user\AppData\Local\...\koEMGMU.exe, PE32 55->112 dropped 222 Uses schtasks.exe or at.exe to add and modify task schedules 55->222 63 forfiles.exe 55->63         started        65 schtasks.exe 55->65         started        224 Checks if the current machine is a virtual machine (disk enumeration) 59->224 file16 signatures17 process18 process19 67 cmd.exe 63->67         started        70 conhost.exe 63->70         started        72 conhost.exe 65->72         started        signatures20 182 Suspicious powershell command line found 67->182 74 powershell.exe 67->74         started        process21 process22 76 WMIC.exe 74->76         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.172.128.90
 unknown Russian Federation
50916 NADYMSS-ASRU false
34.117.186.192
 unknown United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
85.192.56.26
 unknown Russian Federation
12695 DINET-ASRU false
37.221.125.202
 unknown Lithuania
62416 PTSERVIDORPT false
193.233.132.175
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU false
185.172.128.76
 unknown Russian Federation
50916 NADYMSS-ASRU true
176.97.76.106
 unknown United Kingdom
43658 INTRAFFIC-ASUA false
193.233.132.253
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU false
104.21.86.198
 unknown United States
13335 CLOUDFLARENETUS false
87.240.137.164
 unknown Russian Federation
47541 VKONTAKTE-SPB-AShttpvkcomRU false
193.233.132.234
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU false
37.228.108.132
 unknown Norway
39832 NO-OPERANO false
185.172.128.59
 unknown Russian Federation
50916 NADYMSS-ASRU false
172.67.161.113
 unknown United States
13335 CLOUDFLARENETUS false
176.113.115.135
 unknown Russian Federation
49505 SELECTELRU false
104.21.49.118
 unknown United States
13335 CLOUDFLARENETUS false
95.142.206.3
 unknown Russian Federation
47541 VKONTAKTE-SPB-AShttpvkcomRU false
104.21.79.77
 unknown United States
13335 CLOUDFLARENETUS false
95.142.206.0
 unknown Russian Federation
47541 VKONTAKTE-SPB-AShttpvkcomRU false
104.21.31.124
 unknown United States
13335 CLOUDFLARENETUS false
104.21.63.150
 unknown United States
13335 CLOUDFLARENETUS false
104.21.90.14
 unknown United States
13335 CLOUDFLARENETUS false
172.67.169.89
 unknown United States
13335 CLOUDFLARENETUS false
172.67.188.178
 unknown United States
13335 CLOUDFLARENETUS false
104.20.3.235
 unknown United States
13335 CLOUDFLARENETUS false
185.172.128.228
 unknown Russian Federation
50916 NADYMSS-ASRU false
172.67.176.131
 unknown United States
13335 CLOUDFLARENETUS false
186.145.236.18
 unknown Colombia
14080 TelmexColombiaSACO false
185.172.128.203
 unknown Russian Federation
50916 NADYMSS-ASRU false
172.67.144.181
 unknown United States
13335 CLOUDFLARENETUS false
172.67.75.166
 unknown United States
13335 CLOUDFLARENETUS false
104.21.55.189
 unknown United States
13335 CLOUDFLARENETUS false
104.26.8.59
 unknown United States
13335 CLOUDFLARENETUS false
172.67.180.119
 unknown United States
13335 CLOUDFLARENETUS false
5.42.66.10
 unknown Russian Federation
39493 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU false
172.67.193.79
 unknown United States
13335 CLOUDFLARENETUS false
104.20.4.235
 unknown United States
13335 CLOUDFLARENETUS false
172.67.19.24
 unknown United States
13335 CLOUDFLARENETUS false
107.167.110.218
 unknown United States
21837 OPERASOFTWAREUS false
107.167.110.216
 unknown United States
21837 OPERASOFTWAREUS false
104.18.11.89
 unknown United States
13335 CLOUDFLARENETUS false
104.21.4.208
 unknown United States
13335 CLOUDFLARENETUS false
107.167.110.211
 unknown United States
21837 OPERASOFTWAREUS false
45.130.41.108
 unknown Russian Federation
198610 BEGET-ASRU false
107.167.125.189
 unknown United States
21837 OPERASOFTWAREUS false

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.172.128.76/3cd2b41cbde8fc9c.php true