Windows Analysis Report
DVuCnBrdbI.exe

Overview

General Information

Sample name:	DVuCnBrdbI.exe renamed because original name is a hash value
Original sample name:	b321fbc4a5947b5e623708e11a166692.exe
Analysis ID:	1431406
MD5:	b321fbc4a5947b5e623708e11a166692
SHA1:	a47346617fe2b1dda2920a23179daf9b36bbb06e
SHA256:	d1396a1ec855bd2cd988d0473161c5fba7ac170ba8e2f31b00d2689b517a0f22
Tags:	DCRatexe
Infos:

Detection

DCRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

Yara detected DCRat

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Creates processes via WMI

Drops PE files with benign system names

Drops executable to a common third party application directory

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: System File Execution Location Anomaly

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: DVuCnBrdbI.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\Default\Downloads\upfc.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\Idle.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\3D Objects\WmiPrvSE.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Multimedia Platform\qJBfikDNRbrkF.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Multimedia Platform\qJBfikDNRbrkF.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Recovery\Registry.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Multimedia Platform\qJBfikDNRbrkF.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Multimedia Platform\qJBfikDNRbrkF.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Multimedia Platform\qJBfikDNRbrkF.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Multimedia Platform\qJBfikDNRbrkF.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Program Files (x86)\Windows Multimedia Platform\qJBfikDNRbrkF.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Users\user\AppData\Local\Temp\vgX27OamF2.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Windows\Downloaded Program Files\lsass.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984
Source: C:\Recovery\wininit.exe	Avira: detection malicious, Label: HEUR/AGEN.1323984

Found malware configuration

Source: 00000000.00000002.1686893087.0000000012F31000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"SCRT": "{\"i\":\"%\",\"6\":\".\",\"b\":\" \",\"0\":\"#\",\"H\":\"&\",\"9\":\"-\",\"v\":\")\",\"S\":\"(\",\"d\":\"~\",\"m\":\"@\",\"L\":\",\",\"W\":\"_\",\"N\":\">\",\"5\":\"$\",\"A\":\"^\",\"Z\":\";\",\"C\":\"*\",\"y\":\"`\",\"I\":\"|\",\"e\":\"!\",\"J\":\"<\"}", "PCRT": "{\"D\":\"*\",\"E\":\"(\",\"Q\":\"<\",\"U\":\"^\",\"R\":\"&\",\"F\":\"-\",\"0\":\"@\",\"V\":\"%\",\"1\":\",\",\"I\":\"$\",\"W\":\"_\",\"j\":\";\",\"Z\":\">\",\"n\":\")\",\"v\":\"!\",\"d\":\"|\",\"p\":\"`\",\"w\":\" \",\"J\":\".\",\"B\":\"#\",\"N\":\"~\"}", "TAG": "", "MUTEX": "shddsfhdsfhsdfhdsfuidshfkjdshhjodsghdshfjklsdhfljkdshkjldsfhglskdhglfsdjkhgldshglsdfjhgldjfhdlhnvudfhgkldjfhgkjldfshglkfdhgjkdfhvdkghkdfjhgsldfkhgidsfhggggjrbufdngvklhgkdfhgs", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false, "H1": "http://golovkcc.beget.tech/@==gbJBzYuFDT", "H2": "http://golovkcc.beget.tech/@==gbJBzYuFDT", "T": "0"}

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Windows Multimedia Platform\qJBfikDNRbrkF.exe	ReversingLabs: Detection: 81%
Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\Idle.exe	ReversingLabs: Detection: 81%
Source: C:\Program Files\Common Files\qJBfikDNRbrkF.exe	ReversingLabs: Detection: 81%
Source: C:\Program Files\Internet Explorer\qJBfikDNRbrkF.exe	ReversingLabs: Detection: 81%
Source: C:\Program Files\Windows Mail\qJBfikDNRbrkF.exe	ReversingLabs: Detection: 81%
Source: C:\ProgramData\Packages\qJBfikDNRbrkF.exe	ReversingLabs: Detection: 81%
Source: C:\Recovery\Registry.exe	ReversingLabs: Detection: 81%
Source: C:\Recovery\qJBfikDNRbrkF.exe	ReversingLabs: Detection: 81%
Source: C:\Recovery\wininit.exe	ReversingLabs: Detection: 81%
Source: C:\Users\Default\Desktop\qJBfikDNRbrkF.exe	ReversingLabs: Detection: 81%
Source: C:\Users\Default\Downloads\upfc.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\3D Objects\WmiPrvSE.exe	ReversingLabs: Detection: 81%
Source: C:\Windows\Downloaded Program Files\lsass.exe	ReversingLabs: Detection: 81%
Source: C:\Windows\SchCache\csrss.exe	ReversingLabs: Detection: 81%
Source: C:\Windows\TAPI\WmiPrvSE.exe	ReversingLabs: Detection: 81%
Source: C:\Windows\Temp\Crashpad\reports\WmiPrvSE.exe	ReversingLabs: Detection: 81%

Multi AV Scanner detection for submitted file

Source: DVuCnBrdbI.exe

ReversingLabs: Detection: 81%

Machine Learning detection for dropped file

Source: C:\Users\Default\Downloads\upfc.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Photo Viewer\en-GB\Idle.exe	Joe Sandbox ML: detected
Source: C:\Users\user\3D Objects\WmiPrvSE.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Multimedia Platform\qJBfikDNRbrkF.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Multimedia Platform\qJBfikDNRbrkF.exe	Joe Sandbox ML: detected
Source: C:\Recovery\Registry.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Multimedia Platform\qJBfikDNRbrkF.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Multimedia Platform\qJBfikDNRbrkF.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Multimedia Platform\qJBfikDNRbrkF.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Multimedia Platform\qJBfikDNRbrkF.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Windows Multimedia Platform\qJBfikDNRbrkF.exe	Joe Sandbox ML: detected
Source: C:\Windows\Downloaded Program Files\lsass.exe	Joe Sandbox ML: detected
Source: C:\Recovery\wininit.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: DVuCnBrdbI.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: DVuCnBrdbI.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Directory created: C:\Program Files\Windows Mail\qJBfikDNRbrkF.exe	Jump to behavior
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Directory created: C:\Program Files\Windows Mail\6ed216578b75a5	Jump to behavior
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Directory created: C:\Program Files\Internet Explorer\qJBfikDNRbrkF.exe	Jump to behavior
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Directory created: C:\Program Files\Internet Explorer\6ed216578b75a5	Jump to behavior
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Directory created: C:\Program Files\Common Files\qJBfikDNRbrkF.exe	Jump to behavior
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Directory created: C:\Program Files\Common Files\6ed216578b75a5	Jump to behavior

Source: DVuCnBrdbI.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://golovkcc.beget.tech/@==gbJBzYuFDT

Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000003759000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Creates files inside the system directory

Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	File created: C:\Windows\TAPI\WmiPrvSE.exe	Jump to behavior
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	File created: C:\Windows\TAPI\WmiPrvSE.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	File created: C:\Windows\TAPI\24dbde2999530e	Jump to behavior
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	File created: C:\Windows\Downloaded Program Files\lsass.exe	Jump to behavior
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	File created: C:\Windows\Downloaded Program Files\lsass.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	File created: C:\Windows\Downloaded Program Files\6203df4a6bafc7	Jump to behavior
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	File created: C:\Windows\SchCache\csrss.exe	Jump to behavior
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	File created: C:\Windows\SchCache\csrss.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	File created: C:\Windows\SchCache\886983d96e3d3e	Jump to behavior

PE file contains executable resources (Code or Archives)

Source: DVuCnBrdbI.exe	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: qJBfikDNRbrkF.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: WmiPrvSE.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: qJBfikDNRbrkF.exe0.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: WmiPrvSE.exe0.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Sample file is different than original file name gathered from version info

Source: DVuCnBrdbI.exe, 00000000.00000002.1689297652.000000001B920000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename( vs DVuCnBrdbI.exe
Source: DVuCnBrdbI.exe, 00000000.00000002.1689528002.000000001BEA4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs DVuCnBrdbI.exe
Source: DVuCnBrdbI.exe, 00000000.00000000.1631738070.0000000000D58000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs DVuCnBrdbI.exe
Source: DVuCnBrdbI.exe, 00000000.00000002.1689251818.000000001B900000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename( vs DVuCnBrdbI.exe
Source: DVuCnBrdbI.exe, 00000000.00000002.1691078613.000000001C486000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs DVuCnBrdbI.exe
Source: DVuCnBrdbI.exe	Binary or memory string: OriginalFilenamelibGLESv2.dll4 vs DVuCnBrdbI.exe

Uses 32bit PE files

Source: DVuCnBrdbI.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: DVuCnBrdbI.exe, B3PiA5SFPK5Zw4KAPEo.cs	Cryptographic APIs: 'CreateDecryptor'
Source: DVuCnBrdbI.exe, B3PiA5SFPK5Zw4KAPEo.cs	Cryptographic APIs: 'CreateDecryptor'
Source: DVuCnBrdbI.exe, KXjbPlwRN4DQenO4GDH.cs	Cryptographic APIs: 'TransformBlock'
Source: DVuCnBrdbI.exe, KXjbPlwRN4DQenO4GDH.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@36/54@0/0

Source: C:\Users\user\Desktop\DVuCnBrdbI.exe

File created: C:\Program Files\Windows Mail\qJBfikDNRbrkF.exe

Source: C:\Windows\TAPI\WmiPrvSE.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\b646ff99111bcf432bf796ccea30e257e4449700

Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: unknown	Process created: C:\Users\user\Desktop\DVuCnBrdbI.exe "C:\Users\user\Desktop\DVuCnBrdbI.exe"
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qJBfikDNRbrkFq" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\qJBfikDNRbrkF.exe'" /f
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qJBfikDNRbrkF" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\qJBfikDNRbrkF.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qJBfikDNRbrkFq" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\qJBfikDNRbrkF.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qJBfikDNRbrkFq" /sc MINUTE /mo 6 /tr "'C:\Recovery\qJBfikDNRbrkF.exe'" /f
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qJBfikDNRbrkF" /sc ONLOGON /tr "'C:\Recovery\qJBfikDNRbrkF.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qJBfikDNRbrkFq" /sc MINUTE /mo 13 /tr "'C:\Recovery\qJBfikDNRbrkF.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qJBfikDNRbrkF" /sc ONLOGON /tr "'C:\Users\Default\Desktop\qJBfikDNRbrkF.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qJBfikDNRbrkFq" /sc MINUTE /mo 14 /tr "'C:\Recovery\qJBfikDNRbrkF.exe'" /f
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qJBfikDNRbrkF" /sc ONLOGON /tr "'C:\Recovery\qJBfikDNRbrkF.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qJBfikDNRbrkFq" /sc MINUTE /mo 12 /tr "'C:\Recovery\qJBfikDNRbrkF.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\TAPI\WmiPrvSE.exe'" /f
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\TAPI\WmiPrvSE.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Windows\TAPI\WmiPrvSE.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qJBfikDNRbrkFq" /sc MINUTE /mo 8 /tr "'C:\Recovery\qJBfikDNRbrkF.exe'" /f
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qJBfikDNRbrkF" /sc ONLOGON /tr "'C:\Recovery\qJBfikDNRbrkF.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qJBfikDNRbrkFq" /sc MINUTE /mo 13 /tr "'C:\Recovery\qJBfikDNRbrkF.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qJBfikDNRbrkFq" /sc MINUTE /mo 11 /tr "'C:\Recovery\qJBfikDNRbrkF.exe'" /f
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qJBfikDNRbrkF" /sc ONLOGON /tr "'C:\Recovery\qJBfikDNRbrkF.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qJBfikDNRbrkFq" /sc MINUTE /mo 7 /tr "'C:\Recovery\qJBfikDNRbrkF.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\wininit.exe'" /f
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\wininit.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\wininit.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qJBfikDNRbrkFq" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\qJBfikDNRbrkF.exe'" /f
Source: unknown	Process created: C:\Recovery\qJBfikDNRbrkF.exe C:\Recovery\qJBfikDNRbrkF.exe
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qJBfikDNRbrkF" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\qJBfikDNRbrkF.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Program Files\Internet Explorer\qJBfikDNRbrkF.exe "C:\Program Files\Internet Explorer\qJBfikDNRbrkF.exe"
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qJBfikDNRbrkFq" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\qJBfikDNRbrkF.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Recovery\wininit.exe C:\Recovery\wininit.exe
Source: unknown	Process created: C:\Recovery\wininit.exe C:\Recovery\wininit.exe
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\windows photo viewer\en-GB\Idle.exe'" /f
Source: unknown	Process created: C:\Windows\TAPI\WmiPrvSE.exe C:\Windows\TAPI\WmiPrvSE.exe
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\windows photo viewer\en-GB\Idle.exe'" /rl HIGHEST /f
Source: unknown	Process created: C:\Windows\TAPI\WmiPrvSE.exe C:\Windows\TAPI\WmiPrvSE.exe
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\windows photo viewer\en-GB\Idle.exe'" /rl HIGHEST /f
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Process created: unknown unknown	Jump to behavior

Source: DVuCnBrdbI.exe, YDCBNdBCBGBEhtCfgSo.cs	.Net Code: bvb8Ula62E System.AppDomain.Load(byte[])
Source: DVuCnBrdbI.exe, YDCBNdBCBGBEhtCfgSo.cs	.Net Code: bvb8Ula62E System.Reflection.Assembly.Load(byte[])
Source: DVuCnBrdbI.exe, YDCBNdBCBGBEhtCfgSo.cs	.Net Code: bvb8Ula62E

Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Code function: 0_2_00007FFD9BAB00BD pushad ; iretd	0_2_00007FFD9BAB00C1
Source: C:\Recovery\qJBfikDNRbrkF.exe	Code function: 29_2_00007FFD9BABC7F7 push ebp; retf	29_2_00007FFD9BABC816
Source: C:\Recovery\qJBfikDNRbrkF.exe	Code function: 29_2_00007FFD9BABC7D7 push ebx; retf	29_2_00007FFD9BABC7E6
Source: C:\Recovery\qJBfikDNRbrkF.exe	Code function: 29_2_00007FFD9BAB8CCA push ebx; retf	29_2_00007FFD9BAB8CCB
Source: C:\Recovery\qJBfikDNRbrkF.exe	Code function: 29_2_00007FFD9BAB00BD pushad ; iretd	29_2_00007FFD9BAB00C1
Source: C:\Program Files\Internet Explorer\qJBfikDNRbrkF.exe	Code function: 31_2_00007FFD9BAD00BD pushad ; iretd	31_2_00007FFD9BAD00C1
Source: C:\Recovery\wininit.exe	Code function: 33_2_00007FFD9BAC00BD pushad ; iretd	33_2_00007FFD9BAC00C1
Source: C:\Recovery\wininit.exe	Code function: 34_2_00007FFD9BA900BD pushad ; iretd	34_2_00007FFD9BA900C1
Source: C:\Windows\TAPI\WmiPrvSE.exe	Code function: 36_2_00007FFD9BAC00BD pushad ; iretd	36_2_00007FFD9BAC00C1
Source: C:\Windows\TAPI\WmiPrvSE.exe	Code function: 38_2_00007FFD9BAC00BD pushad ; iretd	38_2_00007FFD9BAC00C1

Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	File created: C:\Windows\Downloaded Program Files\lsass.exe	Jump to dropped file
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	File created: C:\Windows\SchCache\csrss.exe	Jump to dropped file
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	File created: C:\Recovery\wininit.exe	Jump to dropped file

Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	File created: C:\Users\user\3D Objects\WmiPrvSE.exe	Jump to dropped file
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	File created: C:\Users\Default\Downloads\upfc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	File created: C:\Recovery\qJBfikDNRbrkF.exe	Jump to dropped file
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	File created: C:\Windows\Downloaded Program Files\lsass.exe	Jump to dropped file
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	File created: C:\Recovery\Registry.exe	Jump to dropped file
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	File created: C:\Program Files (x86)\Windows Multimedia Platform\qJBfikDNRbrkF.exe	Jump to dropped file
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	File created: C:\Windows\SchCache\csrss.exe	Jump to dropped file
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	File created: C:\Windows\TAPI\WmiPrvSE.exe	Jump to dropped file
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	File created: C:\Program Files\Common Files\qJBfikDNRbrkF.exe	Jump to dropped file
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	File created: C:\Recovery\wininit.exe	Jump to dropped file
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	File created: C:\Program Files\Internet Explorer\qJBfikDNRbrkF.exe	Jump to dropped file
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	File created: C:\Program Files\Windows Mail\qJBfikDNRbrkF.exe	Jump to dropped file
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	File created: C:\Windows\Temp\Crashpad\reports\WmiPrvSE.exe	Jump to dropped file
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	File created: C:\ProgramData\Packages\qJBfikDNRbrkF.exe	Jump to dropped file
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	File created: C:\Users\Default\Desktop\qJBfikDNRbrkF.exe	Jump to dropped file
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	File created: C:\Program Files (x86)\Windows Photo Viewer\en-GB\Idle.exe	Jump to dropped file

Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Memory allocated: 1590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Memory allocated: 1AF20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\qJBfikDNRbrkF.exe	Memory allocated: B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\qJBfikDNRbrkF.exe	Memory allocated: 1A970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Internet Explorer\qJBfikDNRbrkF.exe	Memory allocated: BB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files\Internet Explorer\qJBfikDNRbrkF.exe	Memory allocated: 1A6D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\wininit.exe	Memory allocated: FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\wininit.exe	Memory allocated: 1A8E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Recovery\wininit.exe	Memory allocated: 880000 memory reserve \| memory write watch
Source: C:\Recovery\wininit.exe	Memory allocated: 1A590000 memory reserve \| memory write watch
Source: C:\Windows\TAPI\WmiPrvSE.exe	Memory allocated: 1520000 memory reserve \| memory write watch
Source: C:\Windows\TAPI\WmiPrvSE.exe	Memory allocated: 1B050000 memory reserve \| memory write watch
Source: C:\Windows\TAPI\WmiPrvSE.exe	Memory allocated: 1400000 memory reserve \| memory write watch
Source: C:\Windows\TAPI\WmiPrvSE.exe	Memory allocated: 1ADF0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\qJBfikDNRbrkF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files\Internet Explorer\qJBfikDNRbrkF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\wininit.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Recovery\wininit.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\TAPI\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\TAPI\WmiPrvSE.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Window / User API: threadDelayed 1656	Jump to behavior
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Window / User API: threadDelayed 548	Jump to behavior
Source: C:\Recovery\qJBfikDNRbrkF.exe	Window / User API: threadDelayed 369	Jump to behavior
Source: C:\Program Files\Internet Explorer\qJBfikDNRbrkF.exe	Window / User API: threadDelayed 369	Jump to behavior
Source: C:\Recovery\wininit.exe	Window / User API: threadDelayed 367	Jump to behavior
Source: C:\Recovery\wininit.exe	Window / User API: threadDelayed 365
Source: C:\Windows\TAPI\WmiPrvSE.exe	Window / User API: threadDelayed 365

Source: C:\Users\user\Desktop\DVuCnBrdbI.exe TID: 5772	Thread sleep count: 1656 > 30	Jump to behavior
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe TID: 5772	Thread sleep count: 548 > 30	Jump to behavior
Source: C:\Users\user\Desktop\DVuCnBrdbI.exe TID: 648	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\qJBfikDNRbrkF.exe TID: 7972	Thread sleep count: 369 > 30	Jump to behavior
Source: C:\Recovery\qJBfikDNRbrkF.exe TID: 7680	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files\Internet Explorer\qJBfikDNRbrkF.exe TID: 7872	Thread sleep count: 369 > 30	Jump to behavior
Source: C:\Program Files\Internet Explorer\qJBfikDNRbrkF.exe TID: 7732	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\wininit.exe TID: 8104	Thread sleep count: 367 > 30	Jump to behavior
Source: C:\Recovery\wininit.exe TID: 7832	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Recovery\wininit.exe TID: 7856	Thread sleep count: 365 > 30
Source: C:\Recovery\wininit.exe TID: 7652	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\TAPI\WmiPrvSE.exe TID: 8128	Thread sleep count: 365 > 30
Source: C:\Windows\TAPI\WmiPrvSE.exe TID: 7860	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\TAPI\WmiPrvSE.exe TID: 8096	Thread sleep count: 345 > 30
Source: C:\Windows\TAPI\WmiPrvSE.exe TID: 7740	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\qJBfikDNRbrkF.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Program Files\Internet Explorer\qJBfikDNRbrkF.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\wininit.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Recovery\wininit.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\TAPI\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\TAPI\WmiPrvSE.exe	File Volume queried: C:\ FullSizeInformation

Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: jC:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vid_31bf3856ad364e35_10.0.19041.546_none_58a869077fc6e2f7
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: pC:\Windows\WinSxS\amd64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.19041.867_none_b57fce26790eec13
Source: DVuCnBrdbI.exe, 00000000.00000002.1691493456.000000001C55B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}g?
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: uC:\Windows\WinSxS\amd64_microsoft-hyper-v-m..lebrowser.resources_31bf3856ad364e35_10.0.19041.1_en-us_4373d0692dcd3a06
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: uC:\Windows\WinSxS\amd64_microsoft-hyper-v-v..rvcluster.resources_31bf3856ad364e35_10.0.19041.1_en-gb_71570953289cd4d0
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: lC:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.19041.2006_none_ab6b7b2814133920
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: sC:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vid.resources_31bf3856ad364e35_10.0.19041.1_en-us_447494df1222bcd8
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dC:\Windows\WinSxS\amd64_microsoft-hyper-v-hgs_31bf3856ad364e35_10.0.19041.1741_none_1bf0e7c12b78479b
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tC:\Windows\WinSxS\amd64_microsoft-hyper-v-v..ck-virtualizationv2_31bf3856ad364e35_10.0.19041.1_none_25a2ff96aac272dd
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: lC:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.19041.1741_none_a3a0448c191b2fda
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: fC:\Windows\WinSxS\amd64_microsoft-hyper-v-kmclr_31bf3856ad364e35_10.0.19041.1889_none_46e4953b6f70cc79
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: oC:\Windows\WinSxS\amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.19041.1741_none_7543ca68a11c7040
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: uC:\Windows\WinSxS\amd64_microsoft-hyper-v-m..apinabout.resources_31bf3856ad364e35_10.0.19041.1_en-us_d314f4eb3925c8b5
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tC:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmms.resources_31bf3856ad364e35_10.0.19041.1_en-us_fc0cba9450a52790
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: mC:\Windows\WinSxS\amd64_microsoft-hyper-v-passthru-parser_31bf3856ad364e35_10.0.19041.1_none_d7dfb451bd621127
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: wC:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-emulatedstorage_31bf3856ad364e35_10.0.19041.1741_none_4fe99c993cb84326
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: mC:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-debug_31bf3856ad364e35_10.0.19041.1741_none_78a9b11b7a3cc41b
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: cC:\Windows\WinSxS\amd64_microsoft-hyper-v-winhv_31bf3856ad364e35_10.0.19041.1_none_93cc37f483916b61
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vC:\Windows\WinSxS\amd64_microsoft-hyper-v-m..t-remotefilebrowser_31bf3856ad364e35_10.0.19041.746_none_6fbcad1699b89a67
Source: DVuCnBrdbI.exe, 00000000.00000002.1690891623.000000001C43F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: uC:\Windows\WinSxS\amd64_microsoft-hyper-v-h..t-service.resources_31bf3856ad364e35_10.0.19041.1_en-us_ddaeabc80a3525d6
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: pC:\Windows\WinSxS\amd64_microsoft-hyper-v-management-clients_31bf3856ad364e35_10.0.19041.1_none_a87cce111f2d21d5
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: hC:\Windows\WinSxS\amd64_microsoft-hyper-v-vhd-parser_31bf3856ad364e35_10.0.19041.1_none_34b87765e20dcc15
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: aC:\Windows\WinSxS\amd64_microsoft-hyper-v-bpa_31bf3856ad364e35_10.0.19041.1_none_555170071aa29c2c
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: uC:\Windows\WinSxS\amd64_microsoft-hyper-v-v..edstorage.resources_31bf3856ad364e35_10.0.19041.1_en-us_8e6d1518accc0bf5
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: sC:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.2006_none_a526c6e91aabcb1b
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.19041.1_none_97e0d8d7edeea164
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: uC:\Windows\WinSxS\amd64_microsoft-hyper-v-v..nthfcvdev.resources_31bf3856ad364e35_10.0.19041.1_en-us_6ca4b4247e291981
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tC:\Windows\WinSxS\amd64_microsoft-hyper-v-m..-client.snapinabout_31bf3856ad364e35_10.0.19041.1_none_43a9017744e82ca8
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: pC:\Windows\WinSxS\amd64_microsoft-hyper-v-sysprep-provider_31bf3856ad364e35_10.0.19041.789_none_111728dc239a85e2
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dC:\Windows\WinSxS\amd64_microsoft-hyper-v-winhvr_31bf3856ad364e35_10.0.19041.1_none_fc5d2e67adee5611
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: rC:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-hypervcluster_31bf3856ad364e35_10.0.19041.1_none_a2ace16370124ff4
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: uC:\Windows\WinSxS\amd64_microsoft-hyper-v-v..izationv2.resources_31bf3856ad364e35_10.0.19041.1_en-gb_7788797720472f2d
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vC:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.19041.423_en-us_f14a4bbefe65ac87
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: uC:\Windows\WinSxS\amd64_microsoft-hyper-v-m..t-clients.resources_31bf3856ad364e35_10.0.19041.1_en-us_a3e0d97c4c052586
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: mC:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-config_31bf3856ad364e35_10.0.19041.928_none_d35bf07ab5380c24
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tC:\Windows\WinSxS\amd64_microsoft-hyper-v-v..failoverreplication_31bf3856ad364e35_10.0.19041.1_none_50b60ffc14c70fb2
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tC:\Windows\WinSxS\amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.19041.964_none_3542494c595902f8
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: lC:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.19041.1949_none_a9b86d6c1534dc66
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: hC:\Windows\WinSxS\amd64_microsoft-hyper-v-ram-parser_31bf3856ad364e35_10.0.19041.1_none_a7bb53746630ebd3
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: sC:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-synthfcvdev_31bf3856ad364e35_10.0.19041.1741_none_b365912b94b35a98
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: eC:\Windows\WinSxS\amd64_microsoft-hyper-v-kmcl_31bf3856ad364e35_10.0.19041.1889_none_e7d7bde611c8c141
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: wC:\Windows\WinSxS\amd64_microsoft-hyper-v-i..ationcomponents-rdv_31bf3856ad364e35_10.0.19041.1741_none_b62736d427ac1a0c
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tC:\Windows\WinSxS\amd64_microsoft-hyper-v-h..rvisor-host-service_31bf3856ad364e35_10.0.19041.1_none_2246f2e6f0441379
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: sC:\Windows\WinSxS\amd64_microsoft-hyper-v-ram-parser.resources_31bf3856ad364e35_10.0.19041.1_en-us_50c23e4c771f203a
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: uC:\Windows\WinSxS\amd64_microsoft-hyper-v-d..ypervisor.resources_31bf3856ad364e35_10.0.19041.1_en-us_c2edb07518552135
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: wC:\Windows\WinSxS\amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.2006_none_f93d3f541072d580
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tC:\Windows\WinSxS\amd64_microsoft-hyper-v-pvhd-parser.resources_31bf3856ad364e35_10.0.19041.1_en-us_0ccb9f4751718744
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.19041.1741_none_7543ca68a
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: nC:\Windows\WinSxS\wow64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.19041.1_none_97e0d8d7edeea164
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: lC:\Windows\WinSxS\amd64_microsoft-hyper-v-pvhd-parser_31bf3856ad364e35_10.0.19041.1645_none_fe1307608fa06d8c
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: uC:\Windows\WinSxS\amd64_microsoft-hyper-v-d..-netsetup.resources_31bf3856ad364e35_10.0.19041.1_en-us_299ac5951a49c2de
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: hC:\Windows\WinSxS\amd64_microsoft-hyper-v-lun-parser_31bf3856ad364e35_10.0.19041.1_none_b6d8bfc73f89cc96
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: lC:\Windows\WinSxS\amd64_microsoft-hyper-v-bpa.resources_31bf3856ad364e35_10.0.19041.1_en-us_168291f09487ebd5
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: uC:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-debug.resources_31bf3856ad364e35_10.0.19041.1_en-us_5ee8ada67d246bda
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tC:\Windows\WinSxS\amd64_microsoft-hyper-v-vstack-vmwp.resources_31bf3856ad364e35_10.0.19041.1_en-us_369e8b635061fdb3
Source: DVuCnBrdbI.exe, 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: uC:\Windows\WinSxS\amd64_microsoft-hyper-v-i..nents-rdv.resources_31bf3856ad364e35_10.0.19041.1_en-us_b3d1ef0d088d6955

Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\qJBfikDNRbrkF.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\wininit.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Recovery\wininit.exe	Process token adjusted: Debug
Source: C:\Windows\TAPI\WmiPrvSE.exe	Process token adjusted: Debug
Source: C:\Windows\TAPI\WmiPrvSE.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\DVuCnBrdbI.exe	Queries volume information: C:\Users\user\Desktop\DVuCnBrdbI.exe VolumeInformation	Jump to behavior
Source: C:\Recovery\qJBfikDNRbrkF.exe	Queries volume information: C:\Recovery\qJBfikDNRbrkF.exe VolumeInformation	Jump to behavior
Source: C:\Program Files\Internet Explorer\qJBfikDNRbrkF.exe	Queries volume information: C:\Program Files\Internet Explorer\qJBfikDNRbrkF.exe VolumeInformation	Jump to behavior
Source: C:\Recovery\wininit.exe	Queries volume information: C:\Recovery\wininit.exe VolumeInformation	Jump to behavior
Source: C:\Recovery\wininit.exe	Queries volume information: C:\Recovery\wininit.exe VolumeInformation
Source: C:\Windows\TAPI\WmiPrvSE.exe	Queries volume information: C:\Windows\TAPI\WmiPrvSE.exe VolumeInformation
Source: C:\Windows\TAPI\WmiPrvSE.exe	Queries volume information: C:\Windows\TAPI\WmiPrvSE.exe VolumeInformation

Source: Yara match	File source: 00000000.00000002.1684981326.0000000003735000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1755394202.00000000026D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.1755394202.000000000270D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1755435217.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1750646364.0000000002971000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1750646364.00000000029AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1754740131.000000000291D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1754740131.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.1755435217.0000000002E2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.1748954073.0000000002591000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.1755299818.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1686893087.0000000012F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1684981326.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DVuCnBrdbI.exe PID: 764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qJBfikDNRbrkF.exe PID: 7436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qJBfikDNRbrkF.exe PID: 7460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wininit.exe PID: 7492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wininit.exe PID: 7500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WmiPrvSE.exe PID: 7528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WmiPrvSE.exe PID: 7560, type: MEMORYSTR

ID:	1431406
Product:	CloudBasic
Start time:	01:56:05
Start date:	25.04.2024
Sample:	DVuCnBrdbI.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	b321fbc4a5947b5e623708e11a166692
SHA1:	a47346617fe2b1dda2920a23179daf9b36bbb06e
SHA256:	d1396a1ec855bd2cd988d0473161c5fba7ac170ba8e2f31b00d2689b517a0f22
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Name	Type	MD5	SHA1	SHA256
C:\Program Files (x86)\Windows Multimedia Platform\6ed216578b75a5	ASCII text, with very long lines (763), with no line terminators	FBB5D214C9EA262F2F9E0185E96A5F98	3D33625C1D224EDC4EEC00AF128142D6D1801C29	51E06EDAABC60CBA4960A72F3011B89DDEA781BB2852BF429F391363956E652D
C:\Program Files (x86)\Windows Multimedia Platform\qJBfikDNRbrkF.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	B321FBC4A5947B5E623708E11A166692	A47346617FE2B1DDA2920A23179DAF9B36BBB06E	D1396A1EC855BD2CD988D0473161C5FBA7AC170BA8E2F31B00D2689B517A0F22
C:\Program Files (x86)\Windows Multimedia Platform\qJBfikDNRbrkF.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Program Files (x86)\Windows Photo Viewer\en-GB\6ccacd8608530f	ASCII text, with no line terminators	7C8FD90CC5C103C775246A4FAAD37A9C	C2BD83188E7DAFB610854AF5B528378E58ADC35E	FB6B6B487955B819E24625D29EF76CACC699E57B70B5B7DA8685F04D4125E90E
C:\Program Files (x86)\Windows Photo Viewer\en-GB\Idle.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	B321FBC4A5947B5E623708E11A166692	A47346617FE2B1DDA2920A23179DAF9B36BBB06E	D1396A1EC855BD2CD988D0473161C5FBA7AC170BA8E2F31B00D2689B517A0F22
C:\Program Files (x86)\Windows Photo Viewer\en-GB\Idle.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Program Files\Common Files\6ed216578b75a5	ASCII text, with no line terminators	4CD419E91A65B05B881E13DCC0AE23AF	0B05582DD526E3369AA4022429B037B5B89D178F	5182789F48BE16C2805B9A16BB96193BB33B4701C5189CA6D06FEC9824C2517A
C:\Program Files\Common Files\qJBfikDNRbrkF.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	B321FBC4A5947B5E623708E11A166692	A47346617FE2B1DDA2920A23179DAF9B36BBB06E	D1396A1EC855BD2CD988D0473161C5FBA7AC170BA8E2F31B00D2689B517A0F22
C:\Program Files\Common Files\qJBfikDNRbrkF.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Program Files\Internet Explorer\6ed216578b75a5	ASCII text, with no line terminators	661C212D80089B0EC5BDD1CC73110CEC	B2A39D76D8C500C0AE95DE4B79F45699548969EC	DDA0FD419B9FFD90AC38D0484CA1D34817355A11E670D6FBDB3FA22B324036A2
C:\Program Files\Internet Explorer\qJBfikDNRbrkF.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	B321FBC4A5947B5E623708E11A166692	A47346617FE2B1DDA2920A23179DAF9B36BBB06E	D1396A1EC855BD2CD988D0473161C5FBA7AC170BA8E2F31B00D2689B517A0F22
C:\Program Files\Internet Explorer\qJBfikDNRbrkF.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Program Files\Windows Mail\6ed216578b75a5	ASCII text, with very long lines (824), with no line terminators	4025AAAB2C3AAE71E35ED701E81B55B7	A69A0207A568E532BF84683906A8DC9A25DF9E91	FC30B5542DE2D42C0F8B000002E31C6D8622FFD3003EB782CD258C1E982A69E9
C:\Program Files\Windows Mail\qJBfikDNRbrkF.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	B321FBC4A5947B5E623708E11A166692	A47346617FE2B1DDA2920A23179DAF9B36BBB06E	D1396A1EC855BD2CD988D0473161C5FBA7AC170BA8E2F31B00D2689B517A0F22
C:\Program Files\Windows Mail\qJBfikDNRbrkF.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\ProgramData\Packages\6ed216578b75a5	ASCII text, with no line terminators	37DA2F401A74775C66863C529097D088	0454A59E53FC2C4F0F14A8DFC02E87EFD1D80362	BCB5DAD068144AD172FACFEDD8652E58DC33D02DF9EF2B4F68946E206170332C
C:\ProgramData\Packages\qJBfikDNRbrkF.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	B321FBC4A5947B5E623708E11A166692	A47346617FE2B1DDA2920A23179DAF9B36BBB06E	D1396A1EC855BD2CD988D0473161C5FBA7AC170BA8E2F31B00D2689B517A0F22
C:\ProgramData\Packages\qJBfikDNRbrkF.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Recovery\56085415360792	ASCII text, with no line terminators	798170CE669CFDB4BD3ECFCDD3D4F25C	501EE9FA5C961A10188B7CC001DE5D12E1158670	A40920A8949E097904750B67F29D766857F50E37BE38196706513878C04F5505
C:\Recovery\6ed216578b75a5	ASCII text, with very long lines (420), with no line terminators	6ED7E027FCB6C1842F7697A0C37EE2FD	FBC3E7D523B210E6A3923FD124203DDCD9FBEBCD	452E890D7DEAC005D7F73C13410214AFEC3C44CC45BFD757E6D65645CA039A94
C:\Recovery\Registry.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	B321FBC4A5947B5E623708E11A166692	A47346617FE2B1DDA2920A23179DAF9B36BBB06E	D1396A1EC855BD2CD988D0473161C5FBA7AC170BA8E2F31B00D2689B517A0F22
C:\Recovery\Registry.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Recovery\ee2ad38f3d4382	ASCII text, with very long lines (634), with no line terminators	756591E6226C5D4DCA72E071DA6ED1E3	AA7C434A9DDB5712599AE8F400283AA25DA4778B	94058A26B38A4955F8E31464209B130168F8758CDE17D78E372EBF3ACAE90803
C:\Recovery\qJBfikDNRbrkF.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	B321FBC4A5947B5E623708E11A166692	A47346617FE2B1DDA2920A23179DAF9B36BBB06E	D1396A1EC855BD2CD988D0473161C5FBA7AC170BA8E2F31B00D2689B517A0F22
C:\Recovery\qJBfikDNRbrkF.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Recovery\wininit.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	B321FBC4A5947B5E623708E11A166692	A47346617FE2B1DDA2920A23179DAF9B36BBB06E	D1396A1EC855BD2CD988D0473161C5FBA7AC170BA8E2F31B00D2689B517A0F22
C:\Recovery\wininit.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\Default\Desktop\6ed216578b75a5	ASCII text, with very long lines (948), with no line terminators	64AD8A0E892FC54E338906FD5E706383	D2E37BCEB8DA350DD28BC3DBC31F445045B2B426	AB9C2766CA6EFC87442A0676427A87506C4C4546FEF84B7A047C215972840FE6
C:\Users\Default\Desktop\qJBfikDNRbrkF.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	B321FBC4A5947B5E623708E11A166692	A47346617FE2B1DDA2920A23179DAF9B36BBB06E	D1396A1EC855BD2CD988D0473161C5FBA7AC170BA8E2F31B00D2689B517A0F22
C:\Users\Default\Desktop\qJBfikDNRbrkF.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\Default\Downloads\ea1d8f6d871115	ASCII text, with very long lines (563), with no line terminators	F63894FB9F47870243A91C632C0B3C72	4635EA0E59969F318777B1F94D85633EF5D3EACA	62C68CCEE6034F25E6E66D17864DE751A68FBF14FFB06AF5CACD6D052A3057D7
C:\Users\Default\Downloads\upfc.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	B321FBC4A5947B5E623708E11A166692	A47346617FE2B1DDA2920A23179DAF9B36BBB06E	D1396A1EC855BD2CD988D0473161C5FBA7AC170BA8E2F31B00D2689B517A0F22
C:\Users\Default\Downloads\upfc.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\3D Objects\24dbde2999530e	ASCII text, with very long lines (682), with no line terminators	C82942D4E7DA781DA602C02BD3A2B9CB	3A4BFAF441F446D11094E17EE7994EC099E42467	A45F7CC82B3B32401452CD5B38E77CD1CC0B5E2DA2048694B897518D8216E8EE
C:\Users\user\3D Objects\WmiPrvSE.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	B321FBC4A5947B5E623708E11A166692	A47346617FE2B1DDA2920A23179DAF9B36BBB06E	D1396A1EC855BD2CD988D0473161C5FBA7AC170BA8E2F31B00D2689B517A0F22
C:\Users\user\3D Objects\WmiPrvSE.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DVuCnBrdbI.exe.log	CSV text	B28E0CCD25623D173B2EB29F3A99B9DD	070E4C4A7F903505259E41AFDF7873C31F90D591	3A108902F93EF9E952D9E748207778718A2CBAEB0AB39C41BD37E9BB0B85BF3A
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WmiPrvSE.exe.log	CSV text	12C61586CD59AA6F2A21DF30501F71BD	E6B279DC134544867C868E3FF3C267A06CE340C7	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\qJBfikDNRbrkF.exe.log	CSV text	12C61586CD59AA6F2A21DF30501F71BD	E6B279DC134544867C868E3FF3C267A06CE340C7	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log	CSV text	12C61586CD59AA6F2A21DF30501F71BD	E6B279DC134544867C868E3FF3C267A06CE340C7	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
C:\Users\user\AppData\Local\Temp\fKhYlTVFkp	ASCII text, with no line terminators	255B9149120B341F6AA935BE56AB19DD	34B6376D4D0549E59AC95E143239D201C47E94DC	04943BA88F56228769B08A31A3B3DD368CF0DE4766B0492976D905192A08C49B
C:\Users\user\AppData\Local\Temp\vgX27OamF2.bat	DOS batch file, ASCII text, with CRLF line terminators	37916A7BC9EE8477B1449B742C7ED9FD	E03ACC5A207BBA53330506BCD57201AD5432216A	41D5F93F3A4A8B42DBA6185E8785117786118BD0FC2494D85C4A985F77888972
C:\Windows\Downloaded Program Files\6203df4a6bafc7	ASCII text, with very long lines (577), with no line terminators	BB104C6CE0E0E073F135428CC99E12A0	21F8BDB68DDCFA09220CF5637CFFA2C69FBA86AF	79650ADA3D6BF2F9BF02478F7ED4BE739BE20FFD6A2EC5CB95819E9203FAA56B
C:\Windows\Downloaded Program Files\lsass.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	B321FBC4A5947B5E623708E11A166692	A47346617FE2B1DDA2920A23179DAF9B36BBB06E	D1396A1EC855BD2CD988D0473161C5FBA7AC170BA8E2F31B00D2689B517A0F22
C:\Windows\Downloaded Program Files\lsass.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Windows\SchCache\886983d96e3d3e	ASCII text, with very long lines (707), with no line terminators	7F1BD316F4F501FA10F59512AA9B53B0	E6D51128D2B707BCD75572E19E9BB60794289155	E339720A0012B3F24EB6B136BE090C16F9BC2B66A8949B7088DE6BD2577EEBE2
C:\Windows\SchCache\csrss.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	B321FBC4A5947B5E623708E11A166692	A47346617FE2B1DDA2920A23179DAF9B36BBB06E	D1396A1EC855BD2CD988D0473161C5FBA7AC170BA8E2F31B00D2689B517A0F22
C:\Windows\SchCache\csrss.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Windows\TAPI\24dbde2999530e	ASCII text, with no line terminators	780328A5E4411CC82D078C59BBDA397A	E71CF7C5E8711A3CE00CC9ABCE959204FC5ACBF6	3BD78245C60C9601B3E6E83CE194B1BCFF4ADFA1E0956E3C0525F353FCD316C1
C:\Windows\TAPI\WmiPrvSE.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	B321FBC4A5947B5E623708E11A166692	A47346617FE2B1DDA2920A23179DAF9B36BBB06E	D1396A1EC855BD2CD988D0473161C5FBA7AC170BA8E2F31B00D2689B517A0F22
C:\Windows\TAPI\WmiPrvSE.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Windows\Temp\Crashpad\reports\24dbde2999530e	ASCII text, with no line terminators	19DC14C2429BC548C1E84BB4B1A4DF9C	41804EC18D8D86EBF48DA44C417612A73584E24D	A0309DAD4A9BAED23483C970088CFE1D872371B658BD608F10AD56A9353E56CD
C:\Windows\Temp\Crashpad\reports\WmiPrvSE.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	B321FBC4A5947B5E623708E11A166692	A47346617FE2B1DDA2920A23179DAF9B36BBB06E	D1396A1EC855BD2CD988D0473161C5FBA7AC170BA8E2F31B00D2689B517A0F22
C:\Windows\Temp\Crashpad\reports\WmiPrvSE.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report DVuCnBrdbI.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted URLs

Windows Analysis Report
DVuCnBrdbI.exe

Malware Threat Intel
Provided by