Windows Analysis Report
Xmz1XDgtah.exe

Overview

General Information

Sample name: Xmz1XDgtah.exe
renamed because original name is a hash value
Original sample name: 2600cbb9ad38c10aca6ac4a91900cc84.exe
Analysis ID: 1430594
MD5: 2600cbb9ad38c10aca6ac4a91900cc84
SHA1: f670e02edea5048e57c089ae4042f1f00a5790f0
SHA256: e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847
Tags: DCRatexe
Infos:

Detection

DCRat
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Yara detected DCRat
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Drops PE files to the user root directory
Drops executable to a common third party application directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Xmz1XDgtah.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\uPlspWkqijAQ.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\ProgramData\RuntimeBroker.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\uPlspWkqijAQ.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\uPlspWkqijAQ.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\uPlspWkqijAQ.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\uPlspWkqijAQ.exe Avira: detection malicious, Label: TR/Dropper.Gen
Found malware configuration
Source: 00000000.00000002.2068660844.0000000012BEF000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: DCRat {"SCRT": "{\"z\":\">\",\"h\":\"_\",\"0\":\"%\",\"J\":\"!\",\"M\":\"@\",\"y\":\"^\",\"W\":\";\",\"m\":\".\",\"a\":\"&\",\"d\":\"|\",\"Z\":\"(\",\"9\":\")\",\"w\":\"#\",\"i\":\"$\",\"6\":\" \",\"R\":\"-\",\"U\":\"*\",\"I\":\"`\",\"e\":\"~\",\"b\":\"<\",\"5\":\",\"}", "PCRT": "{\"2\":\"&\",\"0\":\".\",\"t\":\"%\",\"m\":\")\",\"F\":\"~\",\"z\":\"^\",\"l\":\";\",\"1\":\"|\",\"O\":\"!\",\"U\":\"$\",\"W\":\"(\",\"Y\":\">\",\"b\":\"`\",\"5\":\",\",\"Z\":\" \",\"I\":\"@\",\"d\":\"*\",\"J\":\"-\",\"Q\":\"_\",\"y\":\"#\",\"V\":\"<\"}", "TAG": "", "MUTEX": "DCR_MUTEX-oHyGiBm2BnEtQkC1Sx7R", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false, "H1": "http://fghjdtgujkjdgkdettygdbnbbn.000webhostapp.com/@zd3bk5Wa3RHb1FmZlR0X", "H2": "http://fghjdtgujkjdgkdettygdbnbbn.000webhostapp.com/@zd3bk5Wa3RHb1FmZlR0X", "T": "0"}
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\uPlspWkqijAQ.exe ReversingLabs: Detection: 81%
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe ReversingLabs: Detection: 81%
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\uPlspWkqijAQ.exe ReversingLabs: Detection: 81%
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe ReversingLabs: Detection: 81%
Source: C:\ProgramData\RuntimeBroker.exe ReversingLabs: Detection: 81%
Source: C:\Recovery\uPlspWkqijAQ.exe ReversingLabs: Detection: 81%
Source: C:\Users\Default\uPlspWkqijAQ.exe ReversingLabs: Detection: 81%
Multi AV Scanner detection for submitted file
Source: Xmz1XDgtah.exe ReversingLabs: Detection: 87%
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\uPlspWkqijAQ.exe Joe Sandbox ML: detected
Source: C:\ProgramData\RuntimeBroker.exe Joe Sandbox ML: detected
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\uPlspWkqijAQ.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\uPlspWkqijAQ.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\uPlspWkqijAQ.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\uPlspWkqijAQ.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Xmz1XDgtah.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Xmz1XDgtah.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\uPlspWkqijAQ.exe Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\33d07815358cfe Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Directory created: C:\Program Files\Windows Portable Devices\SystemSettings.exe Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Directory created: C:\Program Files\Windows Portable Devices\9e60a5f7a3bd80 Jump to behavior
Source: Xmz1XDgtah.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \Desktop\DCLIB-master\obj\Debug\DCLIB.pdbU.o. a._CorDllMainmscoree.dll source: Xmz1XDgtah.exe, 00000000.00000002.2105547548.000000001BEA0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \Desktop\DCLIB-master\obj\Debug\DCLIB.pdb source: Xmz1XDgtah.exe, 00000000.00000002.2105547548.000000001BEA0000.00000004.08000000.00040000.00000000.sdmp

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://fghjdtgujkjdgkdettygdbnbbn.000webhostapp.com/@zd3bk5Wa3RHb1FmZlR0X
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.5:49704 -> 145.14.145.191:80
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown DNS traffic detected: queries for: fghjdtgujkjdgkdettygdbnbbn.000webhostapp.com
Source: RuntimeBroker.exe, 00000017.00000002.2544259948.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fghjdtgujkjdgkdettygdbnbbn.000webhostapp.com
Source: RuntimeBroker.exe, 00000017.00000002.2544259948.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000017.00000002.2580563093.0000000013745000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fghjdtgujkjdgkdettygdbnbbn.000webhostapp.com/
Source: RuntimeBroker.exe, 00000017.00000002.2544259948.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fghjdtgujkjdgkdettygdbnbbn.000webhostapp.com/_Defaultwindows.php?AhHKH=fcLr25XP3&5CesUO1hd=uc
Source: Xmz1XDgtah.exe, 00000000.00000002.2063649768.00000000030A3000.00000004.00000800.00020000.00000000.sdmp, RuntimeBroker.exe, 00000017.00000002.2544259948.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Detected potential crypto function
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Code function: 0_2_00007FF848F52C60 0_2_00007FF848F52C60
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Code function: 0_2_00007FF848F42C20 0_2_00007FF848F42C20
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Code function: 0_2_00007FF848F4A553 0_2_00007FF848F4A553
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Code function: 0_2_00007FF848F42C20 0_2_00007FF848F42C20
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Code function: 0_2_00007FF848F42C18 0_2_00007FF848F42C18
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Code function: 0_2_00007FF848F42C20 0_2_00007FF848F42C20
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Code function: 0_2_00007FF848F42C20 0_2_00007FF848F42C20
PE file contains executable resources (Code or Archives)
Source: Xmz1XDgtah.exe Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: SystemSettings.exe.0.dr Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: uPlspWkqijAQ.exe.0.dr Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: uPlspWkqijAQ.exe0.0.dr Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: RuntimeBroker.exe.0.dr Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Sample file is different than original file name gathered from version info
Source: Xmz1XDgtah.exe, 00000000.00000002.2068660844.0000000012BEF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename$ vs Xmz1XDgtah.exe
Source: Xmz1XDgtah.exe, 00000000.00000002.2068660844.0000000013927000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename$ vs Xmz1XDgtah.exe
Source: Xmz1XDgtah.exe, 00000000.00000002.2105215938.000000001BC70000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamePerformanceCounter.dclib4 vs Xmz1XDgtah.exe
Source: Xmz1XDgtah.exe, 00000000.00000002.2063481655.0000000002A90000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilename$ vs Xmz1XDgtah.exe
Source: Xmz1XDgtah.exe, 00000000.00000002.2105654245.000000001BED0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilename( vs Xmz1XDgtah.exe
Source: Xmz1XDgtah.exe, 00000000.00000002.2105276018.000000001BC80000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilename4 vs Xmz1XDgtah.exe
Source: Xmz1XDgtah.exe, 00000000.00000002.2063529505.0000000002AB0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilename( vs Xmz1XDgtah.exe
Source: Xmz1XDgtah.exe, 00000000.00000002.2063418340.0000000002A70000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilename( vs Xmz1XDgtah.exe
Source: Xmz1XDgtah.exe, 00000000.00000000.2024246200.0000000000994000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs Xmz1XDgtah.exe
Source: Xmz1XDgtah.exe, 00000000.00000002.2105547548.000000001BEA0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameDCLIB.dll, vs Xmz1XDgtah.exe
Source: Xmz1XDgtah.exe, 00000000.00000002.2105625648.000000001BEC0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameUserPingCounter.dclib4 vs Xmz1XDgtah.exe
Source: Xmz1XDgtah.exe, 00000000.00000002.2105578894.000000001BEB0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameUSBSpread.dll4 vs Xmz1XDgtah.exe
Source: Xmz1XDgtah.exe, 00000000.00000002.2062394348.0000000000E8D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs Xmz1XDgtah.exe
Source: Xmz1XDgtah.exe, 00000000.00000002.2105479249.000000001BE90000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilename( vs Xmz1XDgtah.exe
Source: Xmz1XDgtah.exe Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs Xmz1XDgtah.exe
Uses 32bit PE files
Source: Xmz1XDgtah.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Xmz1XDgtah.exe, NW2uKWEl2voJx3P2MlX.cs Cryptographic APIs: 'CreateDecryptor'
Source: Xmz1XDgtah.exe, NW2uKWEl2voJx3P2MlX.cs Cryptographic APIs: 'CreateDecryptor'
Source: Xmz1XDgtah.exe, gNbkyc3Fb5IEmr2OunU.cs Cryptographic APIs: 'TransformBlock'
Source: Xmz1XDgtah.exe, gNbkyc3Fb5IEmr2OunU.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.evad.winEXE@30/25@1/1
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe File created: C:\Program Files (x86)\reference assemblies\Microsoft\Framework\uPlspWkqijAQ.exe Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe File created: C:\Users\All Users\RuntimeBroker.exe Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Mutant created: NULL
Source: C:\ProgramData\RuntimeBroker.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\f254ab210b6257ca012cb1502a65f787fee1c0f8
Source: Xmz1XDgtah.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Xmz1XDgtah.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\ProgramData\RuntimeBroker.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Xmz1XDgtah.exe ReversingLabs: Detection: 87%
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe File read: C:\Users\user\Desktop\Xmz1XDgtah.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Xmz1XDgtah.exe "C:\Users\user\Desktop\Xmz1XDgtah.exe"
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /f
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uPlspWkqijAQu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\uPlspWkqijAQ.exe'" /f
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uPlspWkqijAQ" /sc ONLOGON /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\uPlspWkqijAQ.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uPlspWkqijAQu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\reference assemblies\Microsoft\Framework\uPlspWkqijAQ.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uPlspWkqijAQu" /sc MINUTE /mo 8 /tr "'C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\uPlspWkqijAQ.exe'" /f
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uPlspWkqijAQ" /sc ONLOGON /tr "'C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\uPlspWkqijAQ.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uPlspWkqijAQu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\uPlspWkqijAQ.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SystemSettingsS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\SystemSettings.exe'" /f
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SystemSettings" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\SystemSettings.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SystemSettingsS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\SystemSettings.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uPlspWkqijAQu" /sc MINUTE /mo 7 /tr "'C:\Users\Default\uPlspWkqijAQ.exe'" /f
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uPlspWkqijAQ" /sc ONLOGON /tr "'C:\Users\Default\uPlspWkqijAQ.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uPlspWkqijAQu" /sc MINUTE /mo 13 /tr "'C:\Users\Default\uPlspWkqijAQ.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uPlspWkqijAQu" /sc MINUTE /mo 7 /tr "'C:\Recovery\uPlspWkqijAQ.exe'" /f
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uPlspWkqijAQ" /sc ONLOGON /tr "'C:\Recovery\uPlspWkqijAQ.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uPlspWkqijAQu" /sc MINUTE /mo 14 /tr "'C:\Recovery\uPlspWkqijAQ.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uPlspWkqijAQu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\windows mail\uPlspWkqijAQ.exe'" /f
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uPlspWkqijAQ" /sc ONLOGON /tr "'C:\Program Files (x86)\windows mail\uPlspWkqijAQ.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "uPlspWkqijAQu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\windows mail\uPlspWkqijAQ.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process created: C:\ProgramData\RuntimeBroker.exe "C:\Users\All Users\RuntimeBroker.exe"
Source: unknown Process created: C:\ProgramData\RuntimeBroker.exe "C:\Users\All Users\RuntimeBroker.exe"
Source: unknown Process created: C:\ProgramData\RuntimeBroker.exe "C:\Users\All Users\RuntimeBroker.exe"
Source: unknown Process created: C:\Program Files\Windows Portable Devices\SystemSettings.exe "C:\Program Files\Windows Portable Devices\SystemSettings.exe"
Source: unknown Process created: C:\Program Files\Windows Portable Devices\SystemSettings.exe "C:\Program Files\Windows Portable Devices\SystemSettings.exe"
Source: unknown Process created: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe "C:\Program Files (x86)\windows mail\uPlspWkqijAQ.exe"
Source: unknown Process created: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe "C:\Program Files (x86)\windows mail\uPlspWkqijAQ.exe"
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process created: C:\ProgramData\RuntimeBroker.exe "C:\Users\All Users\RuntimeBroker.exe" Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: profapi.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: amsi.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: userenv.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: rasman.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: profapi.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: profapi.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Section loaded: mscoree.dll
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Section loaded: apphelp.dll
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Section loaded: version.dll
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Section loaded: uxtheme.dll
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Section loaded: windows.storage.dll
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Section loaded: wldp.dll
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Section loaded: profapi.dll
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Section loaded: cryptsp.dll
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Section loaded: rsaenh.dll
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Section loaded: cryptbase.dll
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Section loaded: sspicli.dll
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Section loaded: mscoree.dll
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Section loaded: version.dll
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Section loaded: uxtheme.dll
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Section loaded: windows.storage.dll
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Section loaded: wldp.dll
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Section loaded: profapi.dll
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Section loaded: cryptsp.dll
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Section loaded: rsaenh.dll
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Section loaded: cryptbase.dll
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Section loaded: version.dll
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Section loaded: mscoree.dll
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Section loaded: version.dll
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\uPlspWkqijAQ.exe Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Directory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\33d07815358cfe Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Directory created: C:\Program Files\Windows Portable Devices\SystemSettings.exe Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Directory created: C:\Program Files\Windows Portable Devices\9e60a5f7a3bd80 Jump to behavior
Source: Xmz1XDgtah.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Xmz1XDgtah.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Xmz1XDgtah.exe Static file information: File size 3149312 > 1048576
Source: Xmz1XDgtah.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x27cc00
Source: Xmz1XDgtah.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \Desktop\DCLIB-master\obj\Debug\DCLIB.pdbU.o. a._CorDllMainmscoree.dll source: Xmz1XDgtah.exe, 00000000.00000002.2105547548.000000001BEA0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \Desktop\DCLIB-master\obj\Debug\DCLIB.pdb source: Xmz1XDgtah.exe, 00000000.00000002.2105547548.000000001BEA0000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: Xmz1XDgtah.exe, NW2uKWEl2voJx3P2MlX.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
.NET source code contains potential unpacker
Source: Xmz1XDgtah.exe, Ov44rBW9BqExLVkWHXs.cs .Net Code: PxkZDnMADx System.AppDomain.Load(byte[])
Source: Xmz1XDgtah.exe, Ov44rBW9BqExLVkWHXs.cs .Net Code: PxkZDnMADx System.Reflection.Assembly.Load(byte[])
Source: Xmz1XDgtah.exe, Ov44rBW9BqExLVkWHXs.cs .Net Code: PxkZDnMADx
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Code function: 0_2_00007FF848F400BD pushad ; iretd 0_2_00007FF848F400C1
Source: C:\ProgramData\RuntimeBroker.exe Code function: 23_2_00007FF848F100BD pushad ; iretd 23_2_00007FF848F100C1
Source: C:\ProgramData\RuntimeBroker.exe Code function: 24_2_00007FF848F400BD pushad ; iretd 24_2_00007FF848F400C1
Source: C:\ProgramData\RuntimeBroker.exe Code function: 25_2_00007FF848F000BD pushad ; iretd 25_2_00007FF848F000C1
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Code function: 26_2_00007FF848F400BD pushad ; iretd 26_2_00007FF848F400C1
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Code function: 27_2_00007FF848F200BD pushad ; iretd 27_2_00007FF848F200C1
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Code function: 28_2_00007FF848F000BD pushad ; iretd 28_2_00007FF848F000C1
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Code function: 29_2_00007FF848F400BD pushad ; iretd 29_2_00007FF848F400C1
Source: Xmz1XDgtah.exe, VXBxhTWkknLJAuRG00l.cs High entropy of concatenated method names: 'ojoRG1oq7p', 'NYdRAN2WIU', 'TtWRmJRxcl', 'tyFR1kc00L', 'Uq8RqnmxSH', 'GsI9I34B9oHpeM2VOnl', 'zhinfL4H5KoPLmYkpWa', 'W28q93P7w4Duh1voJgm', 'wRveyDPzaOkTgcJqTe2', 'H3NqiY4TUM3naYEJDtB'
Source: Xmz1XDgtah.exe, EMywaPgxSSdhKWLTgKp.cs High entropy of concatenated method names: 'P8M3huFjPP', 'Iia0HipcxuEDE7awxqX', 'XjClmmpmVIh1S858sw5', 'yjH0H3pqibvyKiItHJM', 'vxGQqkpokYhLuNOS2hl', 'lb9T3Ep7uU03g0N1TdU', 'IPGx9XpzUtWYs2jMDcW'
Source: Xmz1XDgtah.exe, LlAVDgWxaoIBr1yPNyw.cs High entropy of concatenated method names: 'fdhEn7TQOQ', 'GVmgdjfoWX58HaIjTof', 'yFGt6Hf74yNWhbD8oZm', 'MX8eBXfqIalINYeDqbd', 'LCi7YDfcGNKduxN8GiQ', 'rNJRHQfzJLFj5YYkEBG', 'Pn7E3kCBC698SA8chKk', 's5H3iJCHTNs2Lap3rp4', 'skf0uNCTFbyff3Un7G8', 'HfcXkbCkRQIXaRvF80M'
Source: Xmz1XDgtah.exe, bEW0lMw96pSFmjvn8vD.cs High entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
Source: Xmz1XDgtah.exe, ODtqL8OMhuX0B2co77.cs High entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'w6op1KdPoWBWRwPaVao', 'Dot8xYd4lF62WvOs6GJ', 'S1ZrLkdfMl2UdgOUEgV', 'qooEEkdCp0s47bWewPQ', 'FweVkUdxVLPs4pt8u3m', 'J2mnDJdUhMIbYfl5ou4'
Source: Xmz1XDgtah.exe, ondnecCOsv07kjb6nlF.cs High entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'dmctRWyVHSHr2cJNClA', 'BQNvAOyIAjhRg8TGwtX', 'uZHPyhyuJK37RWeX11k', 'JBZHOPyYsqnwtRlojis', 'jp1fueybDG6WHggvfOI', 'bLkxcgypASQnqGP90j6'
Source: Xmz1XDgtah.exe, rx7tx0g9lQUiZ9vd8Ux.cs High entropy of concatenated method names: 'BcVqwRLn5C', 'oY5qGgg0NU', 'WKkxY7bjpoSV2fq6ySK', 't7ihY9bmNwC3SYTxGHF', 'FCPmbMbqLxlnUy2bfco', 'jLTS2obcITFcVJwmWZd', 'bZEwi9boEkVUYEHu4mB', 'N1mnbvb71Oy1Ed7FZkp', 'S7s4gDbzuEbCBrpl30k', 'VdgMXYpBUihGionJl8G'
Source: Xmz1XDgtah.exe, q9UJ2doyb6apuvdmeF9.cs High entropy of concatenated method names: 'sg9', 'V2Vcd0Cxbn', 'UCRiP3bVIP', 'ndYcyfVS68', 'L3gG2eE1R1YRpt7rAxJ', 'zV97GKEtXEtko8UPu4W', 'd9KUTBEer9p3Tn72Vv7', 'tio4OpELHRqg0FPgOqp', 'WO75ygEswJcUKFqRHJZ', 'hJp23REamoURqLo1UEQ'
Source: Xmz1XDgtah.exe, R7A2ImwMGE7muJq6Xk0.cs High entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'VWK8hIjcQJ', '_3il', 'Lh88dOKVkP', 'erV8yIMhuN', '_78N', 'z3K'
Source: Xmz1XDgtah.exe, OXua05wgmekh6IUMpym.cs High entropy of concatenated method names: 'ERZeXonxBw', 'cu9CraZxXian5oJIo1C', 'nxTu3TZUXJmNLGWlwEd', 'bkUD2vZfy7bKdp0Bgxj', 'BAVqoMZCxC017LqdIqw', 'cMBpHZx2HU', 'JR7p073GDg', 'k5NpcIdhKd', 'g8RpBpfPGn', 'DFbpK59lZK'
Source: Xmz1XDgtah.exe, IYdOBW3mEtEbOfmCjM1.cs High entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
Source: Xmz1XDgtah.exe, pGoeHZkf4LVcx0ZnOp.cs High entropy of concatenated method names: 'V0yqFHk3Q', 'b7X3gVBml', 'SDVNnXY60', 'eSgvr1Hdt', 'SjXtY1dWo', 'eKbVE5IMj', 'wfGnLAuZ3', 'IUukUMH9amNwxupPIEs', 'LNWU2YHNVWXG5VZHMfc', 'bSlqrnHgdThASj74b8N'
Source: Xmz1XDgtah.exe, CQn6PAocx9LqdpwGFFY.cs High entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'SRE6rjEF5lZ6N01UmIF', 'zuiKWWEXhY9cqFg0dSM', 'jkiPVVEPl9X75FFYh56', 'ej6cv2E4j7PrXvETUbt'
Source: Xmz1XDgtah.exe, xaLNJfwjavLw8SWQTbE.cs High entropy of concatenated method names: 'ERNb3u4uOq', 'vidbvKos4h', 'QORb8h0x3O', 'iHqbD56CS8', 'hOSbb2M9QL', 'EY3buUDoCI', 'NBobXMHh1U', 'Vcqbl9vRiP', 'pPfbgTDjUY', 'ut6bopZwrK'
Source: Xmz1XDgtah.exe, pQIVxDC68AZYDvyxXup.cs High entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'g0lxFWAGKeddEyZTAuF', 'jTOIKdArgxRwrVdjWVo', 'bxf6qCAwptZAFUFdLYR', 'XeAkPHASdH8XWqMqrhj', 'G98rqnAvAYkyVXn12PA', 'Uh4GQmAVymB5JTtjVGR'
Source: Xmz1XDgtah.exe, sMff8i3i9iaY2ctCIAi.cs High entropy of concatenated method names: 'VZgviiqugI', 'xRQvpP7WPO', 'phZvQJE4AS', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'RpZveFdYhN'
Source: Xmz1XDgtah.exe, fIACd0CTUMpPcQS3bEK.cs High entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'g1K4JvA3qPUFiUgnygk', 'YnQq2tAJU59ip1iRIJO', 'xJc6lUA8hMg2ZoeJ7F1', 'JP2LJRADNZaeVE2NqEo', 'bmPpKgA2YOkPHVYPaEB', 'McxxpYARLgFEEas44tZ'
Source: Xmz1XDgtah.exe, opdMwhvE0DlkMwLHIx.cs High entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'eGWlD3O2fTMKcCHhYLb', 'G2rcGVORZtamRlTfeIM', 'O7Ke2sOLp5D3h9LytD3', 'PwUJpYOsgXWfJZD0qck', 'wj4uRgO1pTs04OEHblt', 'qFK2B6Otg6TGjEjeyQQ'
Source: Xmz1XDgtah.exe, DRjnXP3qRK73qvhslxe.cs High entropy of concatenated method names: 'Owhpuo2OtLGfB43s5D2', 'b7Ttid2dSKwKGctEhpv', 'aVfYjk2T9bxjYqjLEVm', 'rWnQsh2kD35bphLUZHK', 'rBNvKQeOF4', 'WM4', '_499', 't1ev48cCNv', 'bSxvjuKEI3', 'BCsv9uvpxo'
Source: Xmz1XDgtah.exe, OpuC6PC5FAy3VaeLOhe.cs High entropy of concatenated method names: 'zDudIsi06Z', 'LDiSZjgTnIdUY79bvnA', 'TbqrKLgkXjB0lSWu66p', 'iZLNmvgBsYCMJyI1mR4', 'I91oghgHkEqKQDexTU5', 'm1kgltgOM7RdQZXvEJf', 'FPPTFPgdw1pFwMauPJ3', 'yLplKxgiVHZaPNmQfJg', 'Y6xdJbmx0x', 'PlOytAgNKZhCBmaUuEB'
Source: Xmz1XDgtah.exe, Oo6LuSCeeA3wP7nR2y5.cs High entropy of concatenated method names: '_2WU', 'YZ8', '_743', 'G9C', 'qMVQOEyioc47rJSqx1x', 'h4wM0byAUA6KgGWIKVN', 'D1DpSjy9QgTHvxk8BrB', 'zysfT6yNBHV3mHolbBC', 'S0iqreyOBQ5ocaVk3m0', 'KeXls0ydkxSfB4rdsiI'
Source: Xmz1XDgtah.exe, Xi8XwX3WQNGhT76LFas.cs High entropy of concatenated method names: 'cMFNUCKXs9', 'm6MNiVciCT', '_8r1', 'rT0NpNmoah', 'Ww7NQ5u9vW', 'apXNey35it', 'y4fNOZgVi5', 'KnRqksJ4jMG45a8dnXv', 'g27lcCJfni9vnp3ceXh', 'EP50LvJCkTlOMiQZiTJ'
Source: Xmz1XDgtah.exe, K46a08zqiqXlhdQigQ.cs High entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'U0MiKfikj1QMfG7Gjyy', 'BarfBtiO74qWdlXw084', 'HJ32AbidOtNPV6tJlkZ', 'No5rhEii0H2Bg4T3VJD', 'D6KZHEiA7oskFckOKV7', 'GTGruZi9wRuAL649ejb'
Source: Xmz1XDgtah.exe, nHWBEeoQQFBMEcVipQH.cs High entropy of concatenated method names: '_9YY', '_57I', 'w51', 'ugOcpOaVEI', '_168', 'pKK1JuMZ477ZwbDHNyX', 'EY8K5hMKKb9Fxnpt59R', 'OibyDLMGQYj1CQcjM3K', 'r0mj2VMrS0VTmknbsmI', 'OF2IVuMwn2EreW54xw5'
Source: Xmz1XDgtah.exe, j0trJYJwd8f6lv5iUQ.cs High entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'XJraZNkqcjSQew1Etso', 'XLVHnlkc2b3iwYOBXrC', 'ISlc0NkoqOPJN6QxG3k', 'twNIysk7EFVApiZQRmM', 'fDcNsIkzH82onNVioVF', 'nTMTB3OBO9XNFl1KrSh'
Source: Xmz1XDgtah.exe, FIqHVHCoSF1ZFOIEpFm.cs High entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'IrQmPHiSrDloegM0je1', 'empS9GivseApZuwQTpD', 'LL0tAtiV8BlsUPvjNFt', 'zygv84iIQhKUehMVX7a', 'cZypbiiuTTi2qsjvh4t', 'Yvdmp2iYWlaY34cxOFZ'
Source: Xmz1XDgtah.exe, nSR75jCcCwq2jhNES7t.cs High entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'F4ldfm9hTyOynvdCkcC', 'avur6j9ZBCP6tqmIIdP', 'CniStg9KAvHWRMY0vy5', 'jvbmu79G3oJJye94fQg', 'IxMsyt9r06XopymMpGg', 'X4qdne9wA2EGLwyEk2n'
Source: Xmz1XDgtah.exe, TVHPM1ozxoSnPbis6iD.cs High entropy of concatenated method names: 'HVeptXG98e', 'jtRpVv6blF', 'qxfpnbf8mg', 'T3Or0Qh84GgAFvpnT6E', 'qWpkVAhD4XrrWjyO3VS', 'sCboqQh3Oa2JIHnlqjP', 'k6oXXohJj3T8X917UVe', 'SjnPqih2rj3dLWqQNCs', 'iVMmbghRU4g6GqOAbu2', 'B2UPQbhLDQDLDwMhERq'
Source: Xmz1XDgtah.exe, B95CnkownlptRU4FTbJ.cs High entropy of concatenated method names: 'nEhfx4LqvJ', 'qitfCT4OfP', 'E8vfa2UKnu', 'MSVfIDbldd', 'MX7fsCtOpl', 'A8efJjuYaf', 'IiqV31UwE7V5IVwlKt5', 'TeZBj6UGjjsAw3eJQSA', 'AL76xcUrJr5mehbHAgk', 'uQg30HUSLdLbWotB4JO'
Source: Xmz1XDgtah.exe, pJX8ioWZIH2XtLxQNCq.cs High entropy of concatenated method names: 'pMyZzipBp7', 'fXyRhrXpyl', 'UHPRdA2MIm', 'v4MRyblU1m', 'DrCRZybCD7', 'OJjRRp87GI', 'vx3REUMTAh', 'euXRkYHDGE', 'GflRfkrmFi', 'onDRUWWORZ'
Source: Xmz1XDgtah.exe, pR7kXx3UJtpoxFN0QeO.cs High entropy of concatenated method names: 'IGD', 'CV5', 'QA3NqwIUgt', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
Source: Xmz1XDgtah.exe, SVNUDvC83tMX2oQw2EN.cs High entropy of concatenated method names: 'lc3dnmQhHY', 'HLLoqF9CrUtvbSUXJWL', 'dAMiMT9xhaVC44thZjP', 'uj7wlC94VtmWUjv3Zv9', 'pa56EB9flMFqPfGyWuL', 'ACwbju9Uac5Sl1ixynf', 'pWDBbQ9lRdaPq0t5qgf', 'Rjs2cQ96DEaoFh2Txsc', 'PdLJuU95ERoZII6nxp1', 'f28'
Source: Xmz1XDgtah.exe, YkbDrFyyStdM2VBiEB.cs High entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'EFi9ekOyD8mVfEPfnZH', 'BTHWLYO0JZnTGBP8586', 'CUjULKOQoq44Am7S2IZ', 'L6frcQOFQBnTNKM9RlX', 'SDAHsnOXurotZo2kBeA', 'OPlmB1OP8Cpem2YoSDZ'
Source: Xmz1XDgtah.exe, ouHgy3o6trn0gZOiEFF.cs High entropy of concatenated method names: '_223', 'btU6GK6C7dHmmIt3rim', 'MYbXCg6xHbw91Mbk6BC', 'LlbBZ56UNX7AYK85L2n', 'WpEJOW6leEAO0LYHUKT', 'bX31mG66slUJU4D6v36', 'eAqmQ9659N9e9lUnbHt', 'MuJn3n6EvAwMIcdoVy5', 'EuPeH06MUIT3DKwtmdW', 'NA6E9M6hgRA2lM3GAng'
Source: Xmz1XDgtah.exe, VhFK08oeCSA8xAhKEUP.cs High entropy of concatenated method names: '_5u9', 'cxIcRHGmwy', 'AbCph3IL99', 'NulcEY2WEa', 'JSitMBEcrufH6tfJg1V', 'wnfal1EohAV3uqsFcR8', 'gaaCX9E7ClogACPefC7', 'b67DFYEmMeJLYS6rKoD', 'CEVt85Eqc5hZiomQ8md', 'yEM0lYEz2KkcB2pexh1'
Source: Xmz1XDgtah.exe, IlOY9MwHAxDGpUteZ7w.cs High entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
Source: Xmz1XDgtah.exe, E9APIHtfj9IWVJdN7k.cs High entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'kSDTNMfjx', 'eEasioTURKU4HbDXSvG', 'MtKymhTlOEjE12IVkin', 'y9mSHLT6WaSNPul2egj', 'vQOZtlT5edLFybFFWO5', 'FuCK8bTEO2fvZZtOojA'
Source: Xmz1XDgtah.exe, eoGxSGCE5g9Feb68bfL.cs High entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'e6eCRhimt0O4lfYfoHX', 'c7puKAiqxCqTA7fMoc7', 'pO86REicfiFQvUvKXAH', 'in2w1Jioqr4kkQEBlZe', 'p0N7LKi7PBsxB3Gow2I', 'u2U6mLizfoVau6pCaa4'
Source: Xmz1XDgtah.exe, yTps8eC2B4m1iQdPp2r.cs High entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'nkHlNk9BIttm7o5Sxq5', 'cCFU4G9HA3Klt28Tc7n', 'jC5XvW9T9EpVxxprZVR', 'mmg97Q9kbZxiCbcxXXR', 'YpteOd9OhQgLL1VjvTa', 'vKZKvL9d5XFeOrH8bC3'
Source: Xmz1XDgtah.exe, M31ykgWTatOQZ2hdCKu.cs High entropy of concatenated method names: 'LN5ZYLwkIo', 'YnM4dKXko1vmDFUjrP6', 'So5kmiXOVJUGPwRv4y5', 'ff2crNXHmtkZyJqeNZ9', 'UtlT6TXT0SbTyiNlvqU', 'VFn8HPXdaOu1qqgXC9s', 'WEiS9qXixFv10bu8juc', 'mAhaubXAmXK8M1xOXRU', 'RkVU42X93EB8qrSpHhv', 'bDgwnOXNxbCGglAyDKF'
Source: Xmz1XDgtah.exe, j3jDSkg5UDA4hIK0cSb.cs High entropy of concatenated method names: 'DZ3qJD1Gbv', 'FvBqWTJh8N', 'g2bq5hNLVP', 'zx52RlpJxQT4JLLJ32b', 'wwrNsMpWYKJ64vbvQqW', 'sxkhdjp3jXWlClk1UEB', 'FjoEi3p8SFBa3rukjiF', 'tcnIoEpDbRDXd2g0vAV', 'Pa9YFAp2AV77HZ4n9TN', 'edSmgKpRiDuDaWgwYtf'
Source: Xmz1XDgtah.exe, NW2uKWEl2voJx3P2MlX.cs High entropy of concatenated method names: 'j2TlWELK80U3fmFd8us', 'Ba2WH6LGVNRVb16OQ43', 'YUMJTrLhVfkNiKtuC40', 'aqTBgULZE51TnJOtnrA', 'iw10DCA4Mq', 'k1nE4wLS8t7n6ynavrn', 'MaKrTrLvIsywaEHGID9', 'xiFuDNLVcF1J9LtXFZo', 'bEMqEVLI2bf9yTdbScf', 'y4O1K4LuuZNgUYS4Epo'
Source: Xmz1XDgtah.exe, ifYcopaJKpaGbfgM1c.cs High entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'xpuWpYkbaIW9BuHI4Cf', 'IS3c5bkpd4Un7rTDKPU', 'hHIPsXkWpBV9R9yogxR', 'WNYIJck3UfIMCBE0kXk', 'lYBuBgkJpWrJ7Ao5aj9', 'DLS2RMk8MoiBobLQqj7'
Source: Xmz1XDgtah.exe, AdhmTuwRtvZsUEfxSvq.cs High entropy of concatenated method names: 'bX3ORee9Hg', 'HWZOEckNvh', 'D0hOk9qLMx', 'I3aWmnKfAnB6UHdXBFh', 'ts05VbKCy8tgobjgcj5', 'gNYsqWKPvwwdOn3tRfc', 'xxQ7HaK4AYpUSiTfYor', 'n9dwsxKxpgyfdcy3qiZ', 'RAFWGSKUj4BcUjVI0Lq', 'TB3MTiKlcCmLucQhMDo'
Source: Xmz1XDgtah.exe, iH96oGovhK1TS8iXnMl.cs High entropy of concatenated method names: 'oYo', '_1Z5', 'HGGcfWEVn1', 'XWqpRSJfVB', 'pBYcU26vUb', 'x4JqiVMFRXdtnggZNQU', 'LELoQlMXRt0NuXAXip6', 'Pibgk2MPqKrTSSqgDv8', 'Vos2tYM48WJVD6qNZ07', 'cjXsqKMf71LuuRtkhxt'
Source: Xmz1XDgtah.exe, MJAyirwZLFxSCcvr6H0.cs High entropy of concatenated method names: '_7zt', 'cHjOogrouJ', 'hM6OwNW3Lc', 'RCiOG5njmt', 'shOOAMTbIg', 'gUhOm8iSF4', 'J8oO1nuOuQ', 'WRoe5OKEo5IAbNVRCQB', 'ARe6aDKMOf4qxau424R', 'M3Pdb2K6F0hpwgjUb4l'
Source: Xmz1XDgtah.exe, B0gnOQoC0SxpYEmyg11.cs High entropy of concatenated method names: 'FHefngjrMo', 'vPDfHTVk3I', 'OTNf012ruK', 'PfYfcHRACh', 'BkgrsvxzBvi4DgZBFFN', 'EUGhdIxoFYWMeZbWpke', 'jlbpcNx7Gsh1ycHlbfj', 'OLvH4oUBHcOXFbv0AdA', 'hrcOJ1UHWMDHVyS8EnA', 'rosXefUTCrZxT5mXtcC'
Source: Xmz1XDgtah.exe, YGY5Pyo21S7SSERU64v.cs High entropy of concatenated method names: 'yMtUMDCRBx', 'kU0UrWthep', 'AooU62PKDs', 'C0YUYEkQtn', 'CUMUF9oWoc', 'wHsNJP5i1ucGDpMwAbe', 'hVVUoN5ApJnHyKBNAc9', 'awaiID5OD9PjkuwIK5c', 'VqmnPS5dSTqrYS0NMyx', 'kF68ke59ltvxpjdIH5j'
Source: Xmz1XDgtah.exe, AIvHJ8CjdlG0mxtqiLl.cs High entropy of concatenated method names: 'H8Gyo3pQre', 'hSw6sV0i09U9pkE8gj0', 'vp66PX0A5HcELfSnQXV', 'dGQR2c0Ob45LcFWviTB', 'rYHd4R0drZrPhT7oQhs', 's8t7yd09PdXiPIEgIAO', '_5q7', 'YZ8', '_6kf', 'G9C'
Source: Xmz1XDgtah.exe, kVukJswufJjeN6Q2t2J.cs High entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
Source: Xmz1XDgtah.exe, Me9J1bWJ110Pv8yn3Br.cs High entropy of concatenated method names: 'BuZkUwkiSQ', 'IqXkiNeifl', 'pbXeQNCmRlWQTu6YIw0', 'gVFTKdCqgHx9wwGpBVj', 'gLti92CnZCIVhwrSFsl', 'tH24ElCjGI3hj8WwgEs', 'KaukXOLEyh', 'Q8GNi6xBn86sRuj2q8Q', 'PBOiaIxH2U9S8sqMVS2', 'DC0rnGC7mGeJi3mDBBO'
Source: Xmz1XDgtah.exe, pgb5pA3eK6wOSiMr4Q9.cs High entropy of concatenated method names: 'PJ1', 'jo3', 'pR2nirWStl', 'XaMnpRNnph', 'dgsnQCQN6i', 'EC9', '_74a', '_8pl', '_27D', '_524'
Source: Xmz1XDgtah.exe, Obgqifw6bCPZo00DCTD.cs High entropy of concatenated method names: 'utHe4okqKp', 'R5nejvuZVa', 'vxEe9RO3eE', 'wR2eSMNyxJ', 'UdieTPGlsy', 'MQEsIAZ7P1Rl9AJteKf', 'FjxUdMZzWLWATEfS72T', 'Lj0TDhZcOuOi1jGLywy', 'H6VGueZoCyhyxLKaCDq', 'U4LfwTKBSHZiOOiUbKr'
Source: Xmz1XDgtah.exe, D6gLt83S3B9WFjDEZDQ.cs High entropy of concatenated method names: 'EIcV99jDWy', 'Y0VbSf2SmIW2aKuTcUL', 'TLbdN02vsS9XxvNjklO', 'zB1rF22rjBvaHk26sny', 'RWaF3a2wmHOHcMKYg7b', '_1fi', 'V3itLgHtvL', '_676', 'IG9', 'mdP'
Source: Xmz1XDgtah.exe, ujH7EjWWPThNqvJAJWE.cs High entropy of concatenated method names: 'QqdyJgBIvt', 'nL2yWhfTe1', 'P5qy5Zs0f1', 'TiXyLs9LIj', 'dVFyMEBWMg', 'mglyrksSUW', 'P51JrxQC6mWtTHc70Ky', 'UNxOlSQxeSU4cVM4vPi', 'a4pjOyQ48GZwd43onaB', 'K0txknQf5NntfRA9XfA'
Source: Xmz1XDgtah.exe, DMh4lNosPyJ75rS9yL3.cs High entropy of concatenated method names: 'BUjUWMeaAQ', 'EA5U56wF1r', 'qRnULukO5e', 'L4DaQU6LjdrOJMWCqhw', 'H8Ap3w6sRTxxvcE63mQ', 'iybHkw61kQctA6Nx9vB', 'OahFxR6tkHeMeYSEGLL', 'mw0AXg6er6sAw3WxBix', 'tq3S0h6aOunogcXcSOI', 'II2qaY6nOLCJLiaVOyS'
Source: Xmz1XDgtah.exe, xI4qWHCsxHhA3sW0l3F.cs High entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'yGF3ErAn8TUpX0gtr1E', 'zFNjLvAjTwJvUDWGQ8d', 'oODXuoAmDZfXvkcGi6q', 'iRP9F1AqJiCMMLboliX', 'lmqKOiAc8PpWJ3nh5EL', 'rADp0PAovWmbX3umMos'
Source: Xmz1XDgtah.exe, R5cryb3fgU3RblKtF34.cs High entropy of concatenated method names: 'U8FnmDofN6', '_1kO', '_9v4', '_294', 'HK1n1wjnN4', 'euj', 'kpenqrSKIt', 'xs2n3sbJ4V', 'o87', 'w8ZnN0ZtnR'
Source: Xmz1XDgtah.exe, WIiIHKg4DIpNNIvh2tg.cs High entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'YCX31y9NKk', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
Source: Xmz1XDgtah.exe, sjDdXRoMLE7ilCKfZtH.cs High entropy of concatenated method names: 'OaricAqrCb', 'ejoiBK59sD', 'UGWYkoExCg2x9urjL37', 'G8MANOEUHMo8PBbdUQh', 'VQlBmDEflZgKRNDPx7n', 'hyJiFhECmyB82mDGK6F', 'd3wZCOElLmgiqPbL7Bo', 'OrUetwE6EtyvgHBnqT4'
Source: Xmz1XDgtah.exe, gNbkyc3Fb5IEmr2OunU.cs High entropy of concatenated method names: 'SSA3ItXaJt', 'laH3svn9wQ', 'Boq3JU0Qbb', 'zpN3W2ZUvb', 'vy435U4EDk', 'KwX3LUUrnH', '_838', 'vVb', 'g24', '_9oL'
Source: Xmz1XDgtah.exe, mwfabDWarpK451SmPhu.cs High entropy of concatenated method names: '_0023Nn', 'Dispose', 'mvlEKYhLuV', 'SSgE4s7p2w', 'DO8EjkWZhK', 'OI9E92G04V', 'fY4ESvV86G', 'wBLr8tCN2OYZJ3i9pvb', 'wd951qCgEnWBFfX71Xp', 'OllXiQCAH0vNWtqNxiC'
Source: Xmz1XDgtah.exe, sGgb6lDXCFMQhsOP13.cs High entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'Nrc50ZdriyxBFyclUwG', 'VS3bKTdwMwYLkOBFho4', 'WSGIOfdSROZJ3IMhWh0', 'DqOyledvpna1O7u3SRF', 'HvV17NdVXJL04JAP4kR', 'wjUjvEdIEJypimvaPhy'
Source: Xmz1XDgtah.exe, HhVrxv33aal6xCrxK2F.cs High entropy of concatenated method names: 'Qkp', '_72e', 'R26', '_7w6', 'Awi', 'n73', 'cek', 'ro1', '_9j4', '_453'
Source: Xmz1XDgtah.exe, fXC3MNgp1seKCyk2w86.cs High entropy of concatenated method names: 'rVB3RBx1A6', 'AF73ENMu8H', 'OZ23kJwkuA', 'cga3fyEfWZ', 'HQl3UfsY02', 'fIp3i0O3oM', 'dQU3ptumKV', 'OvQ3QMDKxZ', 'jSy3euwFUr', 'xIf3OOYDu6'
Source: Xmz1XDgtah.exe, lHG7TtwXwHgkdWC9JB0.cs High entropy of concatenated method names: 'Y3FOBPcOja', 'dnsOKgAreY', 'bJeO4hvnA2', 'fG3OjA0Hxl', 'rbBO9WwkMK', 'T8mWvlKYMPd6dfknEV9', 'pM6LmHKbK41H1BYpR8K', 'VTob6eKInPu9hrgsn61', 'QfgENHKuvSmbcUx8386', 'VvufliKpP69DHCrqacB'
Source: Xmz1XDgtah.exe, Lw9nRcWhlwm9SRX1rEX.cs High entropy of concatenated method names: 'UkSR8wuqcV', 'RYbRDkEiXG', 'ULBFVyPhohm5siIOjvL', 'sM6OWDPZo8083Wvawdh', 'rVBWqkPE9icR4CsTval', 'hyG41SPMJpSTPCMQE8s', 'j0lYgHPKSYhcybI1DKU', 'UPbt4dPGdUeA3qcmoP1', 'GxTVtKPrxqSBDQM3CXg', 'gvIiXTPw2gQMh8Yensh'
Source: Xmz1XDgtah.exe, ew8DItgoNSZR99qKhWk.cs High entropy of concatenated method names: 'DSGvrdIEtaDlm9qoyJf', 'veYjoZIMmCop9u5jOws', 'DQPnkiI6nhKW2kHqyiw', 'J3g2pPI5MsoXkIndCgn', 'SyVwqKMPLQ', 'O39DobIKZSfEfAHY8Yd', 'NieSbDIGJZNURsoQf5U', 'hKR1X1Ih1ZZa82pGO9C', 'NykPw1IZQIZIPsvdhtX', 'RlqtKPIrYXZ3jkv8eUv'
Source: Xmz1XDgtah.exe, AZ718mgm4rM6h9Q7BUq.cs High entropy of concatenated method names: 'WfpqS0LOFF', 'exwqTb8N94', 'hFOq72pJZ7', 'k0yqxZjoWP', 'O6lqCqG1KB', 'MEjtwYprtsTfTVRpEQU', 'uTfkwEpKFnGHx0qMyPD', 'ATpAH3pGYnZUVLfLwTA', 'UeXvoVpwhKphIrgf0PY', 'Sek4GfpSQijKhWDvg73'
Source: Xmz1XDgtah.exe, AJkNgoCBBh9fhitKckV.cs High entropy of concatenated method names: 'lfKyde1yRx', 'mHHyydt4Cu', 'dAYyZFlKNu', 'XQP60mgaJPs75aGG2Ys', 'FWcdDqgnkUei0lliKRS', 'nlK2FGgtTRhR5BYQMnA', 'atMPdwgemeKajcgeres', 'REUODXgjHkpwtnWXoYP', 'WgAaGwgmtSj7jNVbGUL', 'TjaxM3gqScSydsmuOYA'
Source: Xmz1XDgtah.exe, xaLyAce140I22S6FbY.cs High entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'BiGCh5OCCVge4lhhscd', 'Qj7q0rOxCZG1T88N93K', 'UMfcLqOUe4pm4C17o1w', 'lXqsXxOlb12GD5dOrRR', 'htDce4O6CjCuKrIRCTw', 'XreddTO58xlsfMCWCoV'
Source: Xmz1XDgtah.exe, o2pE1IWRUpqiShZB8f7.cs High entropy of concatenated method names: 'TMWZPFb2nt', 'IiHZ2AqE4I', 'wUD5thXUlbq6h5klvyL', 'AlKCHZXlsy33Bf3s8SD', 'WQalo9X6EM3R90woD13', 'OT2NJUX5HswJ99uXdL7', 'Oq7GfXXEGobjXDKBoFm', 'JPnprfXM0WLqfaU7BGg', 'WZMDNCXhyhbFPBDghHf', 'O9di7tXZyjcUJbhdPF1'
Source: Xmz1XDgtah.exe, lCptlDq2ZQPVK2Ntjq.cs High entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'KKGCcJm0D', 'Xm1N9wTYBSI29JD5y2o', 'NROtPyTbK9gEXZGCT0u', 'ltcHJ4TpJWWjomrdX09', 'M90uVcTW9jnWgc4IAja', 'uA8BhXT3V8juqfZXf3b'
Source: Xmz1XDgtah.exe, CFi1lQYsd1eKeFRQSO.cs High entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'lUrmQtToUpdkEKQ7gIN', 'ajDdHnT7r6wpjacLX8l', 'YVVwAFTzR9jI0uX6oji', 'zhuTmFkBBERcv0eV1xr', 'wd2gCHkHtXsydp3Wj26', 'AuCPmakTaTq171MESJO'
Source: Xmz1XDgtah.exe, xPNY6WgPDVY3aAxtGtQ.cs High entropy of concatenated method names: 'oBn3tTlr2x', 'G8i3V6V8Js', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'SRN3ntLVnQ', '_5f9', 'A6Y'
Source: Xmz1XDgtah.exe, Cyk737CvAkUhf6DysSq.cs High entropy of concatenated method names: 'yHFyQf3Ehx', 'OPKyeY0xtT', 'J0WYh3y08C9O4GrACrl', 'UvqPWeygx1eH3TaN1Xf', 'NrLVSPyyN6gCflKxHMu', 'e4QgmMyQgpgu2Xj2pJc', 'NQaIMNyF2amentYnNwu', 'y7LgopyXGuAdy2AE54l', 'AFnsEDyPJHogZUyxuiw', 'YwbcoHy4SE7POEVJF9h'
Source: Xmz1XDgtah.exe, sTh1UR3c9CyquVh1BdU.cs High entropy of concatenated method names: 'lmENwbxH4h', 'qsrNG1lDIs', 'U2CNANnqxo', 'KRDNmBhN6x', 'KLDN10vnwp', 'mwNt2XJc02CRtcISgjO', 'rdpoWLJogUIg78fnWnV', 'FLqdpjJ7SVfulSd0KD4', 'BhQJMCJzGiPlFpfo2Pp', 'nsEwDB8BPta288v46WS'
Source: Xmz1XDgtah.exe, fCouIVCCB6lQUrEJNPW.cs High entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'fyAO4OiUjWOw4GS54ja', 'IUVdtPilWyPcTLMaubr', 'CAaH2ci6MPi2au2O4C1', 'DdKGyAi5DFc5Q8ybJPM', 'pMuLsviEmxqxn39FI78', 'OXkj17iMmv4G3GA5u1E'
Source: Xmz1XDgtah.exe, WRKVPAQJcxXInQXOLt.cs High entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'u78JHadirDmnveMtTFc', 'fMSdHDdACmibfYcOKwx', 'fbmMufd9rqdBg7cIZBf', 'k3lbsNdNVYbp1jIvL4j', 'RvGcWBdgLPtyXnVXpQZ', 'tGOQw6dyt8rhyo0G42V'
Source: Xmz1XDgtah.exe, kfNUuwoDnSZPpSnmeNj.cs High entropy of concatenated method names: '_269', '_5E7', 'eSgcDr1Hdt', 'Mz8', 'eKbcuE5IMj', 'ydR1E2MaPyy4BxhdGUW', 'iWHcxAMn3B2s38K882s', 'VJVDqjMjHZvqTmyXe4f', 'NOXRTkMm3cV70knsvm5', 'Dp4okhMq9PKZjH1f6GW'
Source: Xmz1XDgtah.exe, zBiGeBWPA84XVIMuAnm.cs High entropy of concatenated method names: 'jZmf3fXvop', 'xM9STlxeBnSdmivZ8E8', 'd6icNgx19vavVIwV1OH', 'ktxc8AxtX8ZeUleuLi7', 'InaJTYxaZDFVBVfFNnL', 'Tg0bo8xndpNqpvbYtjS', 'rLQfgEATh8', 'bHFforK3OK', 'y61fwDIwux', 'T4pfGdqtuH'
Source: Xmz1XDgtah.exe, STuIlCCmwaqhSJsa3fo.cs High entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'y33O9d97rYOWsXJPfqG', 'NpOicx9zOd7JMcjZ0OI', 'UCeBJANBdmFnNqLVPi3', 'h4oa1RNHFuQtT9PdOCc', 'Ij6sduNTsMA1TOMPFaZ', 'GMG4MFNk2p7VdSurwyD'
Source: Xmz1XDgtah.exe, B76DWIojeWE25NR1ra9.cs High entropy of concatenated method names: 'dnZ62MhpgScAIJY6NUy', 'iNchyGhWAcZOkt1ou8k', 'qegpv7hYPZwfL76x4Uf', 'PLFNkwhbeNr9bCphel8', 'IWF', 'j72', 'DrPpXHsLb8', 'tLxplwNZiV', 'j4z', 'KmkpgKLQN0'
Source: Xmz1XDgtah.exe, mBRdeFEKZmxWZsLRnMR.cs High entropy of concatenated method names: 'awm0qUunJc', 'JTN03cuYW4', 'uSj0NEtmWe', 'E1E0veiDb8', 'Eaw0tRqfHi', 'jvo0V9jwy7', 'm880n7IXoK', 'FnQ0HuejJg', 'x5t00mpkHI', 'x1u0cekBDt'
Source: Xmz1XDgtah.exe, NRRREk3KFXQSk6auUrq.cs High entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
Source: Xmz1XDgtah.exe, YjRBshgA8ZYlnLFbElg.cs High entropy of concatenated method names: 'FigPw0Wdaybrcnd7o6X', 'dNhsF9WirNhoJDROkgu', 'S42oXcWkZFSEPMhRcUP', 'qx7GmPWOD1cJA2Hifel', 'phKuVXWArcqflkoiww6', 'q2s4vIW9ZlBOgRVvbLE', 'wYOtCRWNPXLTx092klR'
Source: Xmz1XDgtah.exe, dtYtpogiGnnSGZRuEID.cs High entropy of concatenated method names: 'MD6qaylAL8', 'Bq9qIqTNRb', 'v5BqsgJIic', 'gLPD4ApY6vfk52WKrSt', 'jdO2qlpI2Qs9n6von8C', 'geNnsRpuc1pq17KBE3S', 'n5OGripbokH5WMRsAoM', 'zMPVu6ppi87PqhWoJsQ'
Source: Xmz1XDgtah.exe, tKmh6owDdVsHu8xsQfH.cs High entropy of concatenated method names: 'GcoDP4AiQR', 'JEHDKvQeda', 'sYCD40jUgI', 'ymsDj72mWV', 'UqVD9TChpw', 'o0lDS5T3Uc', 'bf7DTAoPf9', 'vZsD7E4Ivw', 'qpTDxCgpX2', 'VSRDCwebxX'
Source: Xmz1XDgtah.exe, pixbG4CxUadCD6IuiJ5.cs High entropy of concatenated method names: 'EvfdrxG1Vo', 'RIiCkAgheI6h0UoukVt', 'S5t10kgZtK04NOWyxeM', 'bWRxL4gEabPQjatTrY7', 'l5p9NPgMfoXPo5cpC9V', 'Uob1NNgKE3AdxCv8mVL', 'QLw', 'YZ8', 'cC5', 'G9C'
Source: Xmz1XDgtah.exe, tZ0n2MN0WkNFLD3wqm.cs High entropy of concatenated method names: 'NUuK1E378', 'EIO4H6sbK', 'XF3jguW6U', 'QDQ9oqHWcCf7h2PYCGK', 'M3MRPsHbW5YgDWlmvTW', 'x6VOheHpFCcyEbEhH7w', 'fjoGBgH3ZYTcBYUbc4d', 'p2ti4jHJBMwtt8iMnlt', 'xVMBoeH8clE8GUqiXfx', 'J65VZbHD3FDAE9sP7Tf'
Source: Xmz1XDgtah.exe, k8GxMiWF1ujtlSnSoF0.cs High entropy of concatenated method names: 'iFfy3vFyGy', 'At5yNZUFIA', 'GULyv9PeTB', 'kue6m40I49enSnmF3hp', 'p6c4yT0uhZmlKBNVl6S', 'o2kUpO0YFYrZoJQg535', 'iuR6xq0bGgDvHxnDvKY', 'GBSEp00pfmiq7ZMO3XM', 'CSOB3j0WkJY3JjSh9jS', 'OkbZ7d0vliC6KToH217'
Source: Xmz1XDgtah.exe, Q3NB1eCiooSOnpdWeeI.cs High entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'p4wlBqNb4F7Hjiug7YV', 'CMKEK4NpAxYZilPJWps', 'xjYjBLNWlDKd1rNqejP', 'Ep1aPiN3sqg9PqSdKYK', 'FLhlW4NJ6eQ0F3K1yNG', 'hQ589XN8932hMTL8IDr'
Source: Xmz1XDgtah.exe, O5ZfY3LJAACZAnXIak.cs High entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'KQgd0aTyrMEAIXVpFaK', 'u27083T0gwYcgrE14sc', 'SgwiDpTQCqGFYjkgtdT', 'qrVMtwTFQcWkNkPQJXI', 'XgfxJcTXv0mJBiPk2Kc', 'aYEXEtTPYN5UcPCGrnJ'
Source: Xmz1XDgtah.exe, GDuDGlH3WlMay2ZWl3.cs High entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'NBdMqcdjUavBmG5IKI0', 'wTaUCgdmfkYw47jp4hc', 'ji7A4vdqlcJlvPCYUrc', 'nJjA89dclvWtik2P186', 'LR5TL6dogUHuNp6wkMW', 'q7x71kd7d3JINIdeopg'
Source: Xmz1XDgtah.exe, GMXPLcWi61q3w7hqBqR.cs High entropy of concatenated method names: 'bfqRP7YG9U', 'iS6R2dJx4p', 'VY8RzLhoqa', 'xstEhTgh8s', 'Vr0EdCX6GW', 'fAwEy22PBo', 'QseEZpHQSR', 'na2ERZ0TbV', 'moNEEtFJXu', 'fL3jOX4mgAgdE1IebLG'
Source: Xmz1XDgtah.exe, tmYIkBo8hLy9wME2pBE.cs High entropy of concatenated method names: 'B1mibOKDO2', 'A1hiuKkr95', 'oU2iXinfol', 'Pv9JJQ52MdR6KUNqDbv', 'BhRjeg58VtAG2XDCA64', 'AiqBxu5DVdsZZb14wRY', 'ywAETT5RgmPvtj9ydPM', 'a9EikjA4wG', 'PoiifBxxry', 'Vf1iUe4Kfp'
Source: Xmz1XDgtah.exe, gCNrrrCgDsQDlucMCK1.cs High entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'DmT6HNiL0rSbTAHFGyZ', 'TqXaBjisfNyTNaENveB', 'aQL88Xi1qU5G4UfbNlC', 'M0aF6Qit0sQQ3gPQEiZ', 'BGV8xVieqsr92gCtw5n', 'p6D1DMiax1tDUZLR35p'
Source: Xmz1XDgtah.exe, lYy90fo1eowpq3NN10Q.cs High entropy of concatenated method names: 'iV1UBGEv7S', 'UDtUKixqRb', 'l38U4u5ZjW', 'N8sYe46XNFe8U52r66m', 'KXfIo66QGV5PT16cOPc', 'moeY0I6FJxZM9BMaEWu', 'RU33sc6Pa4UqVqmEYq0', 'INwUbWgMBb', 'DCdUu3Z3pA', 'RnEUXxqgRg'
Source: Xmz1XDgtah.exe, RUsfCD3teIdfvEYJ330.cs High entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'T6jv3ONJv8', 'kT6vNcW62a', 'T1Evvbw6lr', 'J5FvtujT3x', 'r0GvVBmEki', 'orqvn1G8YK', 'LVhZxSDpde7k7SRRBG1'
Source: Xmz1XDgtah.exe, M0F2EECaBDQwDitQQ1h.cs High entropy of concatenated method names: 'XAhdPjukUj', 'bR97KOgpi2KWcEmFXSd', 'BNSCMfgW2X9YRdLtDJv', 'DZMn6ygYjonBfSFbSdr', 'rwIu5VgbCnq3UXiVFo1', 'D8SRxUg3Wg5sDdUeXc8', '_3Xh', 'YZ8', '_123', 'G9C'
Source: Xmz1XDgtah.exe, QxTUpcoOZqZRtHo6BDF.cs High entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'LyBpQQumHs', 'b7XcOgVBml', 'r49peGi0tR', 'SDVc8nXY60', 'v97gcYMWi7DjMiHFJjA', 'uRLxLIM39S91IR6ITfQ', 'pypKS9MbWw0HA4XNYvB'
Source: Xmz1XDgtah.exe, zvfDiaoTaErm7sjyNXp.cs High entropy of concatenated method names: 'b2FUCO3o74', 'uiSUa63pKC', 'YGEUIelXTT', 'SM9UsdbjUp', 'DPsydI6udicyddklMnk', 'G9g0Y76YUfbmD61iOtv', 'QIIlCU6b8JHVwG7sXAP', 'mQfZAs6VTM7c7q3uaNw', 'jO2Eif6I9dmhs9cvu8S', 'gcWpUO6pIgZWp1FRAcL'
Source: Xmz1XDgtah.exe, Ov44rBW9BqExLVkWHXs.cs High entropy of concatenated method names: 'X7gZcAiR2i', 'YpTZBOeSbK', 'N1eZKoYACw', 'UkrZ42re6b', 'qubZjq62Nf', 'mHTZ9fYcHf', 'lJNZSuOmjf', 'PYK1ElFhhQYeTUDwoYG', 'iGNyI6FERJB6xdCKMW0', 'PHS0hXFMyL2AVawMOpH'
Source: Xmz1XDgtah.exe, JBIpSujjeWOHpjycqK.cs High entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'xfBcWCdR59KHxkVOanp', 'UCbwCWdLJON6nEjP2ER', 'GLJLxfdsHf3HiqacdLR', 'woXumnd1eyUGaWuyn2w', 'rBY3e6dtF68KuFr2X74', 'XtdsYjdeNGKnlSdsbk0'
Source: Xmz1XDgtah.exe, LP7vXPEuhkbvxISE2b4.cs High entropy of concatenated method names: 'MITC7Fssa3oeA', 'GC4uqYLPrN3RKjJTZB2', 'K3ATh2L4QJpLWZ3BBv6', 'ho5Eq2LfD3BvajKdn3I', 'CLRBg9LCIeAaaaQgQKG', 'qWD4OOLxVy0x1M09sXp', 'EwLbXKLFQtUpSjUlh1g', 'GX8Ta5LXGuklGaYDNJv', 'L8KqmCLUAI1MFEa7hOF', 'PV1hg8LlDaDf5dX8mD2'
Source: Xmz1XDgtah.exe, bHYsElCQINFAZN3tR8f.cs High entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'JvdXpKy60qkUQUMytTL', 'wuKoeCy5K48iBrxOFSx', 'vPMSnVyEwtmKTsOKwJr', 'Jaq4BKyMKTeEtohxaUW', 'DP9KFqyh7PH1sh7He2C', 'UdV5MiyZc1isc4IgsWM'
Source: Xmz1XDgtah.exe, qcHiR2CPb52CIEwCOqh.cs High entropy of concatenated method names: 'HTdymtL1mj', 'TAFy1TnDki', 'DakyqI5b2R', 'PR0Ng80yRqh2c7shauU', 'QfqHv80NIfL5x0uTHfC', 'u1MjCl0gbIG3PFD2HQU', 'JHK2Zy00GDBq5yGXBcc', 'Qt3ZyL0QrxiglxMDrte', 'HCVU5F0FKZsfPJEKm5C', 'bVahcG0Xe4kT7hSEKrr'
Source: Xmz1XDgtah.exe, tSqQvqCUkYidDfRV2Qp.cs High entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'jo7xxq9Y4Nnu1ncE0fJ', 'CkBWVM9bEPT8wpX7HFM', 'nhl0Xe9pOOBIO9g28Uy', 'ice1U49WY5HJnHEUt0w', 'xUHaJs9393bj4FHnINs', 'Exwyf09JonLTdidemKf'
Source: Xmz1XDgtah.exe, QkaFTOwmRMAbihVGPUs.cs High entropy of concatenated method names: 'vWm8BZp7jm', 'Tig8K9Txkf', 'IHF84bHFOK', 'Mgx8jsL5Fa', 'HGD89eq4P4', 'myW6JoGUFjI9qpw66w4', 'bfT7F9GC0mjvSprhkuj', 'A4JkAtGxbA1MvN7NbPx', 'JebgrvGlfkjECrmAsbH', 'Wi36oLG6xJokPXGr6E6'
Source: Xmz1XDgtah.exe, O7CXwVgbtb6Nmf1K2uB.cs High entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
Source: Xmz1XDgtah.exe, rHrg37Cuk51NuplUb96.cs High entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'YnDHSBAU7S3gqedQws6', 'VGIparAlbhDUA9BW990', 'J6mYhMA6htqr3y718pn', 'EJXQFXA5OsrCl2CWDT0', 'dQm8h5AEGIwQsibOkJd', 'GbSqnPAMkND2OxSgrya'
Source: Xmz1XDgtah.exe, twmPbTwfxtbjN1rjWxC.cs High entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'CfHDbvf1pC', 'UTYDuXge5f', 'r8j', 'LS1', '_55S'
Source: Xmz1XDgtah.exe, FGD8Fpgdt4tuhV7KcCX.cs High entropy of concatenated method names: 'XKgqMZXAx0', 'bLZqrPjOFQ', 'Vs6q65NoPR', 'wdYqY7T5d0', 'LkrqFiQxyV', 'wI9qP6f0ww', 'UN29B3p1ewAoV2GDiTp', 'yliK4ipLEa3OeR7gQhB', 'imUUCJpsSeS5WHuKDQW', 'XfLTRQptu32J5a24OAW'
Source: Xmz1XDgtah.exe, vJH19KEL4eITuFjYcY.cs High entropy of concatenated method names: 'MKP8b489e', 'dvwGMqIrYkZLyidr1B', 'o2X5ybvIaDVD6d5hH0', 'MCS8oSVTrUvoFyWRMU', 'EylGMIu1s7Tb1JEKsq', 'Eg6UuQYP0Ua7OW6WJs', 'dc1ytTX8o', 'QJ2ZQhX7T', 'r3URERiML', 'OteEGELCl'
Source: Xmz1XDgtah.exe, vtmuxmC9hlqUPYcRtq5.cs High entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'YqElKbAAcmG13NhsEsE', 'I9hJT0A9uplOUFVk5R3', 'hSvrTkANp2JMsBB4OEO', 'T7NVQsAgUlnBdRliFwg', 'yQhI7jAymahsckQnhAD', 'bZ8A99A0kwZm4mybLRd'
Source: Xmz1XDgtah.exe, KDnBpsCKb6MnYJo9ltf.cs High entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'P3Sod49s6cfHKRqeuLh', 'mvWXKn91AS69rWebad6', 'RZEkK99tfZL3FSVIPvN', 'cYjIPH9e6QP3AiadhOC', 'RlOK4J9aXVaJLUXm0ae', 'JDllIa9ntmrVNR70K72'

Persistence and Installation Behavior
barindex
Creates processes via WMI
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Drops executable to a common third party application directory
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\uPlspWkqijAQ.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe File created: C:\ProgramData\RuntimeBroker.exe Jump to dropped file
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe File created: C:\Recovery\uPlspWkqijAQ.exe Jump to dropped file
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe File created: C:\Users\Default\uPlspWkqijAQ.exe Jump to dropped file
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe File created: C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\uPlspWkqijAQ.exe Jump to dropped file
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\uPlspWkqijAQ.exe Jump to dropped file
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe File created: C:\Program Files\Windows Portable Devices\SystemSettings.exe Jump to dropped file
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe File created: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe File created: C:\ProgramData\RuntimeBroker.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe File created: C:\Users\Default\uPlspWkqijAQ.exe Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe File created: C:\Users\Default\uPlspWkqijAQ.exe Jump to dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /f
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\ProgramData\RuntimeBroker.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Memory allocated: 11C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Memory allocated: 1ABE0000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Memory allocated: 2BB0000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Memory allocated: 1ABB0000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Memory allocated: 15A0000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Memory allocated: 1B4A0000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Memory allocated: 7C0000 memory reserve | memory write watch Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Memory allocated: 1A6A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Memory allocated: 1000000 memory reserve | memory write watch
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Memory allocated: 1AAB0000 memory reserve | memory write watch
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Memory allocated: 1410000 memory reserve | memory write watch
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Memory allocated: 1AEE0000 memory reserve | memory write watch
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Memory allocated: 2700000 memory reserve | memory write watch
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Memory allocated: 1A800000 memory reserve | memory write watch
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Memory allocated: 1650000 memory reserve | memory write watch
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Memory allocated: 1B1B0000 memory reserve | memory write watch
Contains functionality to detect virtual machines (SLDT)
Source: C:\ProgramData\RuntimeBroker.exe Code function: 23_2_00007FF848F1A62D sldt word ptr [eax] 23_2_00007FF848F1A62D
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 599891 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 599782 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 599657 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 599311 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 599203 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 599081 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 598950 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 598844 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 598734 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 598624 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 598352 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 598249 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 598141 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 598011 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 596730 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 596625 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 596478 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 596375 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 596266 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 596157 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 596032 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 595907 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 595782 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 595657 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 595547 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 595438 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 595313 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 595188 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 595063 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 594938 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 594828 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 594719 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 594594 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 594485 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 594360 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 594235 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 594110 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 593985 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Window / User API: threadDelayed 1815 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Window / User API: threadDelayed 3371 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Window / User API: threadDelayed 6267 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Window / User API: threadDelayed 364 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Window / User API: threadDelayed 364 Jump to behavior
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Window / User API: threadDelayed 367
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Window / User API: threadDelayed 365
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Window / User API: threadDelayed 368
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Window / User API: threadDelayed 362
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe TID: 5036 Thread sleep count: 1815 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe TID: 5312 Thread sleep count: 325 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe TID: 2788 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 5248 Thread sleep count: 3371 > 30 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 6152 Thread sleep count: 6267 > 30 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 2892 Thread sleep count: 35 > 30 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 3140 Thread sleep count: 50 > 30 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -27670116110564310s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -599891s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -599782s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -599657s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -599547s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -599437s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -599311s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -599203s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -599081s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -598950s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -598844s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -598734s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -598624s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -598352s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -598249s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -598141s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -598011s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -596730s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -596625s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -596478s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -596375s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -596266s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -596157s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -596032s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -595907s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -595782s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -595657s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -595547s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -595438s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -595313s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -595188s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -595063s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -594938s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -594828s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -594719s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -594594s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -594485s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -594360s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -594235s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -594110s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4816 Thread sleep time: -593985s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 5364 Thread sleep count: 364 > 30 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 4592 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 6180 Thread sleep count: 364 > 30 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe TID: 1772 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe TID: 5424 Thread sleep count: 367 > 30
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe TID: 6184 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe TID: 6092 Thread sleep count: 365 > 30
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe TID: 6532 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe TID: 6696 Thread sleep count: 368 > 30
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe TID: 5480 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe TID: 6768 Thread sleep count: 362 > 30
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe TID: 5784 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\ProgramData\RuntimeBroker.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\ProgramData\RuntimeBroker.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\ProgramData\RuntimeBroker.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\ProgramData\RuntimeBroker.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 599891 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 599782 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 599657 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 599311 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 599203 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 599081 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 598950 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 598844 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 598734 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 598624 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 598352 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 598249 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 598141 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 598011 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 596730 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 596625 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 596478 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 596375 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 596266 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 596157 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 596032 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 595907 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 595782 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 595657 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 595547 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 595438 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 595313 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 595188 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 595063 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 594938 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 594828 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 594719 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 594594 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 594485 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 594360 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 594235 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 594110 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 593985 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Thread delayed: delay time: 922337203685477
Source: Xmz1XDgtah.exe, 00000000.00000002.2107725407.000000001C833000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}bN
Source: Xmz1XDgtah.exe, 00000000.00000002.2107510629.000000001C816000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: RuntimeBroker.exe, 00000017.00000002.2603159404.000000001CE0C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process token adjusted: Debug Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process token adjusted: Debug Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process token adjusted: Debug Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process token adjusted: Debug
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Process token adjusted: Debug
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process token adjusted: Debug
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Process created: C:\ProgramData\RuntimeBroker.exe "C:\Users\All Users\RuntimeBroker.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Queries volume information: C:\Users\user\Desktop\Xmz1XDgtah.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Queries volume information: C:\ProgramData\RuntimeBroker.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Queries volume information: C:\ProgramData\RuntimeBroker.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\RuntimeBroker.exe Queries volume information: C:\ProgramData\RuntimeBroker.exe VolumeInformation Jump to behavior
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Queries volume information: C:\Program Files\Windows Portable Devices\SystemSettings.exe VolumeInformation
Source: C:\Program Files\Windows Portable Devices\SystemSettings.exe Queries volume information: C:\Program Files\Windows Portable Devices\SystemSettings.exe VolumeInformation
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Queries volume information: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe VolumeInformation
Source: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe Queries volume information: C:\Program Files (x86)\Windows Mail\uPlspWkqijAQ.exe VolumeInformation
Source: C:\Users\user\Desktop\Xmz1XDgtah.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\ProgramData\RuntimeBroker.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\ProgramData\RuntimeBroker.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected DCRat
Source: Yara match File source: 0000001C.00000002.2189528760.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2176112255.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2063649768.000000000309B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2165029559.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2544259948.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2063649768.0000000003080000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2163434123.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2175393903.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2175393903.00000000026BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2165029559.0000000002AEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2189528760.000000000283F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2154907035.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2063649768.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2068660844.0000000012BEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Xmz1XDgtah.exe PID: 3192, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 2848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 5660, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4040, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SystemSettings.exe PID: 3448, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SystemSettings.exe PID: 4616, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: uPlspWkqijAQ.exe PID: 6596, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: uPlspWkqijAQ.exe PID: 6552, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected DCRat
Source: Yara match File source: 0000001C.00000002.2189528760.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2176112255.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2063649768.000000000309B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2165029559.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2544259948.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2063649768.0000000003080000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2163434123.00000000034A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2175393903.00000000026A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2175393903.00000000026BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2165029559.0000000002AEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2189528760.000000000283F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2154907035.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2063649768.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2068660844.0000000012BEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Xmz1XDgtah.exe PID: 3192, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 2848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 5660, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RuntimeBroker.exe PID: 4040, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SystemSettings.exe PID: 3448, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SystemSettings.exe PID: 4616, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: uPlspWkqijAQ.exe PID: 6596, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: uPlspWkqijAQ.exe PID: 6552, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430594 Sample: Xmz1XDgtah.exe Startdate: 23/04/2024 Architecture: WINDOWS Score: 100 37 us-east-1.route-1.000webhost.awex.io 2->37 39 fghjdtgujkjdgkdettygdbnbbn.000webhostapp.com 2->39 49 Found malware configuration 2->49 51 Antivirus detection for dropped file 2->51 53 Antivirus / Scanner detection for submitted sample 2->53 55 11 other signatures 2->55 7 Xmz1XDgtah.exe 1 25 2->7         started        11 RuntimeBroker.exe 3 2->11         started        13 RuntimeBroker.exe 2 2->13         started        15 4 other processes 2->15 signatures3 process4 file5 27 C:\Users\Default\uPlspWkqijAQ.exe, PE32 7->27 dropped 29 C:\Recovery\uPlspWkqijAQ.exe, PE32 7->29 dropped 31 C:\ProgramData\RuntimeBroker.exe, PE32 7->31 dropped 33 4 other malicious files 7->33 dropped 57 Drops PE files to the user root directory 7->57 59 Uses schtasks.exe or at.exe to add and modify task schedules 7->59 61 Creates processes via WMI 7->61 63 Drops executable to a common third party application directory 7->63 17 RuntimeBroker.exe 2 7->17         started        21 schtasks.exe 7->21         started        23 schtasks.exe 7->23         started        25 19 other processes 7->25 signatures6 process7 dnsIp8 35 us-east-1.route-1.000webhost.awex.io 145.14.145.191, 80 AWEXUS Netherlands 17->35 41 Antivirus detection for dropped file 17->41 43 Multi AV Scanner detection for dropped file 17->43 45 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->45 47 Machine Learning detection for dropped file 17->47 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
145.14.145.191
 us-east-1.route-1.000webhost.awex.io Netherlands
204915 AWEXUS false

Contacted Domains

Name IP Active
us-east-1.route-1.000webhost.awex.io 145.14.145.191 true
fghjdtgujkjdgkdettygdbnbbn.000webhostapp.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://fghjdtgujkjdgkdettygdbnbbn.000webhostapp.com/@zd3bk5Wa3RHb1FmZlR0X false
    		high