Edit tour

Windows Analysis Report
16770075581.zip

Overview

General Information

Sample name:	16770075581.zip
Analysis ID:	1431511
MD5:	0531a38f0874c57a473f615b1608609e
SHA1:	2f70912946681142433683d58e0db1d3eba27e75
SHA256:	6b796b7bd4247c7c56976940fae8292cb633a1924ea940c5cd973fe8db4fb1ae
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for domain / URL

Yara detected AgentTesla

Yara detected PureLog Stealer

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Suspicious Outbound SMTP Connections

Uses SMTP (mail sending)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64_ra

rundll32.exe (PID: 6900 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe (PID: 1592 cmdline: "C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe" MD5: 1B1A6E8EA0B16F3611864E07458C7358)

a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe (PID: 2512 cmdline: "C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe" MD5: 1B1A6E8EA0B16F3611864E07458C7358)

a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe (PID: 3680 cmdline: "C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe" MD5: 1B1A6E8EA0B16F3611864E07458C7358)

a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe (PID: 4116 cmdline: "C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe" MD5: 1B1A6E8EA0B16F3611864E07458C7358)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000F.00000002.1854317165.0000000006320000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000F.00000002.1855204335.0000000006D71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000F.00000002.1841875926.0000000004A6C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.1841875926.0000000004A6C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000F.00000002.1855204335.0000000006C81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000F.00000002.1855204335.0000000006C81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.1855204335.0000000006C81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000F.00000002.1839140970.0000000002F2B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.1839140970.0000000002F2B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000F.00000002.1839140970.0000000002E39000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000F.00000002.1841875926.00000000046FC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000F.00000002.1849874481.0000000005E10000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000F.00000002.1841875926.0000000003FF9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000013.00000002.2060893027.0000000007431000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000010.00000002.2041946472.0000000002DF0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000013.00000002.2060893027.00000000074D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000010.00000002.2041946472.0000000002DDB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000010.00000002.2037601987.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.2037601987.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000010.00000002.2041946472.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000013.00000002.2040197303.00000000037D9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000013.00000002.2040197303.00000000037D9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000013.00000002.2040197303.00000000036E7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000010.00000002.2041946472.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.2041946472.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000014.00000002.2439032914.00000000028A0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000014.00000002.2439032914.0000000002895000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000014.00000002.2439032914.000000000288B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000014.00000002.2439032914.0000000002861000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000014.00000002.2439032914.0000000002861000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 25 entries

Sigma Signatures

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 148.251.133.229, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe, Initiated: true, ProcessId: 2512, Protocol: tcp, SourceIp: 192.168.2.17, SourceIsIpv6: false, SourcePort: 49725

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for domain / URL

Source: confirmyourinfo.com

Virustotal: Detection: 10%

Perma Link

Source: unknown	HTTPS traffic detected: 142.202.136.11:443 -> 192.168.2.17:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.17:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.202.136.11:443 -> 192.168.2.17:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.17:49729 version: TLS 1.2

Source: global traffic

TCP traffic: 192.168.2.17:49725 -> 148.251.133.229:587

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.17:49725 -> 148.251.133.229:587

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: confirmyourinfo.com
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: mail.seatech.co.ke

Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 142.202.136.11:443 -> 192.168.2.17:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.17:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.202.136.11:443 -> 192.168.2.17:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.17:49729 version: TLS 1.2

Source: classification engine

Classification label: mal88.troj.spyw.evad.winZIP@7/0@3/19

Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe "C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe"
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process created: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe "C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe"
Source: unknown	Process created: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe "C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe"
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process created: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe "C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe"
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process created: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe "C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe"
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process created: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe "C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe"

Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: rasman.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: rtutils.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: secur32.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: schannel.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: amsi.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: amsi.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: rasman.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: rtutils.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: secur32.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: schannel.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: rasman.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: rtutils.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: secur32.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: schannel.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: amsi.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: amsi.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: rasman.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: rtutils.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: secur32.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: schannel.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Data Obfuscation

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0000000F.00000002.1854317165.0000000006320000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1855204335.0000000006D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1855204335.0000000006C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1839140970.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2060893027.0000000007431000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2060893027.00000000074D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2040197303.00000000036E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Memory allocated: 2AE0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Memory allocated: 2C10000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Memory allocated: 4C10000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Memory allocated: 6C80000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Memory allocated: 6470000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Memory allocated: 2B90000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Memory allocated: 2D60000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Memory allocated: 2BB0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Memory allocated: 1A70000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Memory allocated: 34C0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Memory allocated: 33D0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Memory allocated: 73E0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Memory allocated: 6BD0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Memory allocated: E20000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Memory allocated: 2810000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Memory allocated: 2620000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Window / User API: threadDelayed 9862
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Window / User API: threadDelayed 7780

Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 4144	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1740	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -99888s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6196	Thread sleep count: 9862 > 30
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -99776s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -99664s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -99552s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -99424s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -99281s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -99169s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -99057s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -98945s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -98833s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -98705s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -98577s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -98465s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -98353s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -98241s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -98130s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -98002s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -97874s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -97763s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -97651s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -97539s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -97427s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -97299s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -97171s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -97060s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -96948s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -96836s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -96724s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -96596s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -96468s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -96356s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -96244s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -96132s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -96020s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -95892s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -95764s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -95652s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -95540s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -95428s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -95300s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -95173s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -95029s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -94917s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -94805s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -94694s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -94582s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -94455s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -94327s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6204	Thread sleep time: -94216s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 6564	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 3964	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -200000s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -99872s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 2028	Thread sleep count: 7780 > 30
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -99760s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -99648s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -99536s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -99409s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -99282s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -99170s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -99058s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -98946s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -98834s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -98706s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -98562s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -98450s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -98338s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -98226s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -98114s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -97986s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -97858s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -97746s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -97635s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -97524s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -97412s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -97284s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -97156s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -97044s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -96932s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -96820s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -96708s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -96580s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -96452s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -99888s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -99776s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -99664s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -99553s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -99426s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -99314s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -99186s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -99074s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -98962s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -98850s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -98738s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -98626s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -98498s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -98386s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -98274s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -98162s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -98034s >= -30000s
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe TID: 1044	Thread sleep time: -97922s >= -30000s

Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 99888
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 99776
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 99664
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 99552
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 99424
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 99281
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 99169
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 99057
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 98945
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 98833
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 98705
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 98577
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 98465
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 98353
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 98241
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 98130
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 98002
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 97874
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 97763
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 97651
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 97539
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 97427
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 97299
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 97171
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 97060
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 96948
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 96836
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 96724
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 96596
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 96468
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 96356
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 96244
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 96132
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 96020
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 95892
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 95764
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 95652
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 95540
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 95428
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 95300
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 95173
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 95029
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 94917
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 94805
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 94694
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 94582
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 94455
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 94327
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 94216
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 99872
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 99760
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 99648
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 99536
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 99409
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 99282
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 99170
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 99058
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 98946
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 98834
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 98706
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 98562
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 98450
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 98338
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 98226
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 98114
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 97986
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 97858
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 97746
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 97635
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 97524
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 97412
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 97284
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 97156
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 97044
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 96932
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 96820
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 96708
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 96580
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 96452
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 99888
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 99776
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 99664
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 99553
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 99426
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 99314
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 99186
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 99074
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 98962
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 98850
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 98738
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 98626
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 98498
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 98386
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 98274
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 98162
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 98034
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Thread delayed: delay time: 97922

Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process created: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe "C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe"
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Process created: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe "C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe"

Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Queries volume information: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe VolumeInformation
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Queries volume information: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe VolumeInformation
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Queries volume information: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe VolumeInformation
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Queries volume information: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe VolumeInformation
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0000000F.00000002.1841875926.0000000004A6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1855204335.0000000006C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1839140970.0000000002F2B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2041946472.0000000002DF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2041946472.0000000002DDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2037601987.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2041946472.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2040197303.00000000037D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2041946472.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2439032914.00000000028A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2439032914.0000000002895000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2439032914.000000000288B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2439032914.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 0000000F.00000002.1841875926.00000000046FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1849874481.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1841875926.0000000003FF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\8h0a78bs.default-release\cookies.sqlite
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe

File opened: C:\FTP Navigator\Ftplist.txt

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\Desktop\a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini

Source: Yara match	File source: 0000000F.00000002.1841875926.0000000004A6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1855204335.0000000006C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1839140970.0000000002F2B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2037601987.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2040197303.00000000037D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2041946472.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2439032914.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0000000F.00000002.1841875926.0000000004A6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1855204335.0000000006C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1839140970.0000000002F2B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2041946472.0000000002DF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2041946472.0000000002DDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2037601987.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2041946472.0000000002DE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2040197303.00000000037D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2041946472.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2439032914.00000000028A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2439032914.0000000002895000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2439032914.000000000288B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2439032914.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 0000000F.00000002.1841875926.00000000046FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1849874481.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1841875926.0000000003FF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Disable or Modify Tools	2 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Email Collection	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	141 Virtualization/Sandbox Evasion	1 Credentials in Registry	1 Query Registry	Remote Desktop Protocol	2 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Rundll32	NTDS	141 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	24 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Source	Detection	Scanner	Link
confirmyourinfo.com	11%	Virustotal	Browse
seatech.co.ke	0%	Virustotal	Browse
mail.seatech.co.ke	0%	Virustotal	Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
seatech.co.ke	148.251.133.229	true	false	0%, Virustotal, Browse	unknown
confirmyourinfo.com	142.202.136.11	true	true	11%, Virustotal, Browse	unknown
api.ipify.org	104.26.12.205	true	false		high
mail.seatech.co.ke	unknown	unknown	false	0%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
142.202.136.11	confirmyourinfo.com	Reserved	52284	PanamaservercomPA	true
148.251.133.229	seatech.co.ke	Germany	24940	HETZNER-ASDE	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431511
Start date and time:	2024-04-25 11:17:54 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	16770075581.zip
Detection:	MAL
Classification:	mal88.troj.spyw.evad.winZIP@7/0@3/19
Cookbook Comments:	Found application associated with file extension: .zip

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 40.126.28.20, 40.126.28.19, 40.126.28.11, 40.126.28.21, 40.126.28.18, 40.126.7.32, 40.126.28.13, 40.126.28.14
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

File type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy (8bit):	7.995256499309422
TrID:	ZIP compressed archive (8000/1) 99.91% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.09%
File name:	16770075581.zip
File size:	44'172 bytes
MD5:	0531a38f0874c57a473f615b1608609e
SHA1:	2f70912946681142433683d58e0db1d3eba27e75
SHA256:	6b796b7bd4247c7c56976940fae8292cb633a1924ea940c5cd973fe8db4fb1ae
SHA512:	7ff3753d490ceed05fb07d7a3f29df7c8019305bee50a48921bb9540b55bced0709d14b6c9fc424a12986fd766f7f338a963b239cea55b7ca1080f7176ad444c
SSDEEP:	768:w2ogmTjbrboSX2dmNKmyN1I+o2eHuGxV9luI7OejSe7MvMdhchC+bAgHNLp6c:ZogecSaF9I+odPV9l/7OKQohchrHRsc
TLSH:	BA1302D689270490C3BEE023394866A1532EDC4DA6CFDC3510E96BAD169FF5F2B50ED8
File Content Preview:	PK........................@...a0611257eaad7ff0528e4305d35a8929fc4cf268b0d7201e417ce0458040a9fa.#..N.J...*...........8..x.Cgp..[6PIv.... L?.#...m.;=.....9.U....N...!...H.7..p...o5N..?L...!<.r..L...p /)_.....ac.r.....\|x.E..X.d}0..:vD]. ..2y..6.w.+b..58'R...

File Icon


Icon Hash:	1c1c1e4e4ececedc

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 16770075581.zip

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Created / dropped Files

Static File Info

General

File Icon

Windows Analysis Report
16770075581.zip