Windows Analysis Report
yX8787W7de.exe

Overview

General Information

Sample name: yX8787W7de.exe
renamed because original name is a hash value
Original sample name: 10f54a1a68bce057dc9abbc2851a6235.exe
Analysis ID: 1431967
MD5: 10f54a1a68bce057dc9abbc2851a6235
SHA1: aa70b6be5f6e35655d0a5e25c450b47f4a23ffd0
SHA256: d0be212a60bf7479492be23497cf0e933b8c6fda4e68b0d9724c7dc18e30fa37
Tags: DCRatexe
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Creates processes via WMI
Drops executable to a common third party application directory
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Compiles C# or VB.Net code
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: yX8787W7de.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Recovery\SystemSettings.exe Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\fontrefcrt\WmiPrvSE.exe Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\wNNbKC3aho.bat Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\fontrefcrt\JfSdr.vbe Avira: detection malicious, Label: VBS/Runner.VPG
Source: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Avira: detection malicious, Label: HEUR/AGEN.1323342
Source: C:\Users\user\AppData\Local\Temp\s4Al4mMfKa.bat Avira: detection malicious, Label: BAT/Delbat.C
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe ReversingLabs: Detection: 83%
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Virustotal: Detection: 73% Perma Link
Source: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe ReversingLabs: Detection: 83%
Source: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe Virustotal: Detection: 73% Perma Link
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe ReversingLabs: Detection: 83%
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Virustotal: Detection: 73% Perma Link
Source: C:\Recovery\SystemSettings.exe ReversingLabs: Detection: 83%
Source: C:\Recovery\SystemSettings.exe Virustotal: Detection: 73% Perma Link
Source: C:\Users\user\Desktop\iJCvyQAH.log Virustotal: Detection: 25% Perma Link
Source: C:\Users\user\Desktop\wNZUMzpS.log Virustotal: Detection: 25% Perma Link
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe ReversingLabs: Detection: 83%
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Virustotal: Detection: 73% Perma Link
Source: C:\fontrefcrt\WmiPrvSE.exe ReversingLabs: Detection: 83%
Source: C:\fontrefcrt\WmiPrvSE.exe Virustotal: Detection: 73% Perma Link
Multi AV Scanner detection for submitted file
Source: yX8787W7de.exe ReversingLabs: Detection: 79%
Source: yX8787W7de.exe Virustotal: Detection: 56% Perma Link
Machine Learning detection for dropped file
Source: C:\Recovery\SystemSettings.exe Joe Sandbox ML: detected
Source: C:\fontrefcrt\WmiPrvSE.exe Joe Sandbox ML: detected
Source: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Joe Sandbox ML: detected
Source: C:\Windows\System32\SecurityHealthSystray.exe Joe Sandbox ML: detected
Source: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe Joe Sandbox ML: detected
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: yX8787W7de.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: yX8787W7de.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Directory created: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Directory created: C:\Program Files\Internet Explorer\en-US\31d454e2f3d20a Jump to behavior
Source: yX8787W7de.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: yX8787W7de.exe
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\i0e0ny4g\i0e0ny4g.pdb source: MsintoRefcommonsvc.exe, 00000005.00000002.1885029457.00000000038EE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: conhost.exe, 0000001F.00000002.1998443695.000000001BDE3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: conhost.exe, 0000001F.00000002.1998443695.000000001BDE3000.00000004.00000020.00020000.00000000.sdmp

Spreading
barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe System file written: C:\Windows\System32\SecurityHealthSystray.exe Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_0012A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_0012A69B
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_0013C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_0013C220
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe File opened: C:\Users\user Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe File opened: C:\Users\user\AppData\Local Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49736 -> 104.21.16.102:80
Source: Traffic Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49738 -> 104.21.16.102:80
Source: Traffic Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49739 -> 104.21.16.102:80
Source: Traffic Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49740 -> 104.21.16.102:80
Source: Traffic Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49741 -> 104.21.16.102:80
Source: Traffic Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49742 -> 104.21.16.102:80
Source: Traffic Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49743 -> 104.21.16.102:80
Source: Traffic Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49744 -> 104.21.16.102:80
Source: Traffic Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49745 -> 104.21.16.102:80
Source: Traffic Snort IDS: 2048095 ET TROJAN [ANY.RUN] DarkCrystal Rat Check-in (POST) 192.168.2.4:49746 -> 104.21.16.102:80
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /JavascriptPollMultigeneratordatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: taketa.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /JavascriptPollMultigeneratordatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0Host: taketa.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /JavascriptPollMultigeneratordatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: taketa.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /JavascriptPollMultigeneratordatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: taketa.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /JavascriptPollMultigeneratordatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: taketa.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /JavascriptPollMultigeneratordatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Host: taketa.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /JavascriptPollMultigeneratordatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: taketa.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /JavascriptPollMultigeneratordatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0Host: taketa.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /JavascriptPollMultigeneratordatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36Host: taketa.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /JavascriptPollMultigeneratordatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34Host: taketa.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: taketa.top
Source: unknown HTTP traffic detected: POST /JavascriptPollMultigeneratordatalife.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29Host: taketa.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 03:17:26 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveVary: accept-language,accept-charsetAccept-Ranges: bytesContent-Language: enCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GXse2RoLCKT8rgKz9iWVD5zWud017pmY1UOATwvwzj5cPjVXegI5HwxouKVEiYKsMWcbEb9Id%2B9OiGIvXg2ixaBwaZSKZyyH%2FnIreAncgqjM8TrRjYMZB4kVwlMe"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 87a36b74fc6e9ac0-MIAalt-svc: h3=":443"; ma=86400Data Raw: 34 39 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 25 35 62 6e 6f 25 32 30 61 64 64 72 65 73 73 25 32 30 67 69 76 65 6e 25 35 64 22 20 2f 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0d 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0d 0a 3c 70 3e 0d 0a 0d 0a 0d 0a 20 20 20 20 54 68 65 20 72 65 71 75 65 73 74 Data Ascii: 49f<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><title>Object not found!</title><link rev="made" href="mailto:%5bno%20address%20given%5d" /><style type="text/css"><!--/*--><![CDATA[/*><!--*/ body { color: #000000; background-
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 03:17:56 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveVary: accept-language,accept-charsetAccept-Ranges: bytesContent-Language: enCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lm22g23MiKymyeBNY43Bg3UuI45Qd%2BYpCRchCNA2ZghTpliqBc7SX4L5hLuEcTCrGKme8WLk8WxxBECtJ3kOVl1v5EHklVYDQ2a73TefUHt%2B9w%2FqKejvko2raHTe"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 87a36c2e5d33db2d-MIAalt-svc: h2=":443"; ma=60Data Raw: 34 39 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 25 35 62 6e 6f 25 32 30 61 64 64 72 65 73 73 25 32 30 67 69 76 65 6e 25 35 64 22 20 2f 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0d 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0d 0a 3c 70 3e 0d 0a 0d 0a 0d 0a 20 20 20 20 54 68 65 20 72 65 71 75 65 73 74 65 Data Ascii: 49f<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><title>Object not found!</title><link rev="made" href="mailto:%5bno%20address%20given%5d" /><style type="text/css"><!--/*--><![CDATA[/*><!--*/ body { color: #000000; backgroun
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 03:18:05 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveVary: accept-language,accept-charsetAccept-Ranges: bytesContent-Language: enCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Rtdo1gzmI34v3wCPVUo3RHSjrWe7vuB6%2F4AFHltjAHVSlPRAgbyUA%2BJJZSsC6Uxt6AOPvjz5LiKW653oUYpGbj5cM%2FCtoi%2FMAVKnr8a6q%2FIBbGoQvtbLOHedCU4A"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 87a36c695cfa0351-MIAalt-svc: h3=":443"; ma=86400Data Raw: 34 39 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 25 35 62 6e 6f 25 32 30 61 64 64 72 65 73 73 25 32 30 67 69 76 65 6e 25 35 64 22 20 2f 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0d 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0d 0a 3c 70 3e 0d 0a 0d 0a 0d 0a 20 20 20 20 54 68 65 20 72 Data Ascii: 49f<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><title>Object not found!</title><link rev="made" href="mailto:%5bno%20address%20given%5d" /><style type="text/css"><!--/*--><![CDATA[/*><!--*/ body { color: #000000; background-color: #FFFF
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 03:18:07 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveVary: accept-language,accept-charsetAccept-Ranges: bytesContent-Language: enCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YkJnvly6UKfWRmQpGUOTi4dKGRxrnjFaCWIGu7pqWdyjh0DvWErWpf%2FfD0AUfFVvJK60eeXrjwsJSiYqHrOWJnd%2Bx7vJhSwlm%2FTMM1rL1YQF%2B6Hi0EEPUfl7AjS0"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 87a36c740dc9221e-MIAalt-svc: h2=":443"; ma=60Data Raw: 34 39 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 25 35 62 6e 6f 25 32 30 61 64 64 72 65 73 73 25 32 30 67 69 76 65 6e 25 35 64 22 20 2f 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0d 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0d 0a 3c 70 3e 0d 0a 0d 0a 0d 0a 20 20 20 20 54 68 65 20 72 65 71 75 65 73 Data Ascii: 49f<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><title>Object not found!</title><link rev="made" href="mailto:%5bno%20address%20given%5d" /><style type="text/css"><!--/*--><![CDATA[/*><!--*/ body { color: #000000; background-co
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 03:18:13 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveVary: accept-language,accept-charsetAccept-Ranges: bytesContent-Language: enCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LlwNGy3rzV3RXDXFPdRMX%2FCG2LnhAz%2Bfq7PeY9Qg2ohwaPGfSayoZ9xlpWIznuSJF1LcwQb%2Bwg3Fx0D900WcPsN6%2Bx99cDGpZ5Io2qjKE5e53%2B3lg2JLknY8M12K"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 87a36c9cbf265c7d-MIAalt-svc: h2=":443"; ma=60Data Raw: 34 39 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 25 35 62 6e 6f 25 32 30 61 64 64 72 65 73 73 25 32 30 67 69 76 65 6e 25 35 64 22 20 2f 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0d 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0d 0a 3c 70 3e 0d 0a 0d 0a 0d 0a 20 20 20 20 54 68 65 20 72 65 71 75 Data Ascii: 49f<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><title>Object not found!</title><link rev="made" href="mailto:%5bno%20address%20given%5d" /><style type="text/css"><!--/*--><![CDATA[/*><!--*/ body { color: #000000; background-color:
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 03:18:16 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveVary: accept-language,accept-charsetAccept-Ranges: bytesContent-Language: enCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fEwT1LNQ7rK6CyWoJPdlksGShMyaVLsgzTAEX9OQMkJAw7vf7AB4xilTcfqMCRgNF%2Bg6ZkT1egWaTP2%2B32js5UVI1EXF7pwoaLlo2bQhNjJ51rQ2bGyiBBuJniYR"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 87a36caeba382245-MIAalt-svc: h2=":443"; ma=60Data Raw: 34 39 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 25 35 62 6e 6f 25 32 30 61 64 64 72 65 73 73 25 32 30 67 69 76 65 6e 25 35 64 22 20 2f 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0d 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0d 0a 3c 70 3e 0d 0a 0d 0a 0d 0a 20 20 20 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 Data Ascii: 49f<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><title>Object not found!</title><link rev="made" href="mailto:%5bno%20address%20given%5d" /><style type="text/css"><!--/*--><![CDATA[/*><!--*/ body { color: #000000; backg
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 03:18:18 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveVary: accept-language,accept-charsetAccept-Ranges: bytesContent-Language: enCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aEZOpWwslAVQ5cnbvpM3LtG4NG509ZVdZFozrx1dX5wsnff3oRwjyXdEVLL2sNzrOEt6wJyFlZEpiw2dnbs4r2GOVfNquqTU43K0Q6NhRmFWfqaKh8uzeC3Queau"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 87a36cb9c9375c7f-MIAalt-svc: h2=":443"; ma=60Data Raw: 34 39 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 25 35 62 6e 6f 25 32 30 61 64 64 72 65 73 73 25 32 30 67 69 76 65 6e 25 35 64 22 20 2f 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0d 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0d 0a 3c 70 3e 0d 0a 0d 0a 0d 0a 20 20 20 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 Data Ascii: 49f<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><title>Object not found!</title><link rev="made" href="mailto:%5bno%20address%20given%5d" /><style type="text/css"><!--/*--><![CDATA[/*><!--*/ body { color: #00000
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 03:18:23 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveVary: accept-language,accept-charsetAccept-Ranges: bytesContent-Language: enCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=62pg6uXYHVg9stmbUFpl3PdXJHdZDFv6iMHzjWAHQGYgOYIrvflXecCcF%2BgtuBkZ%2BIJwkIanMS0gKYHqgKsMOJVxzq9BSFJAmmBgcbZYbZMlHBtfPnKxuq2oCCnR"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 87a36cd82feb8d9d-MIAalt-svc: h2=":443"; ma=60Data Raw: 34 39 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 25 35 62 6e 6f 25 32 30 61 64 64 72 65 73 73 25 32 30 67 69 76 65 6e 25 35 64 22 20 2f 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0d 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0d 0a 3c 70 3e 0d 0a 0d 0a 0d 0a 20 20 20 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 Data Ascii: 49f<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><title>Object not found!</title><link rev="made" href="mailto:%5bno%20address%20given%5d" /><style type="text/css"><!--/*--><![CDATA[/*><!--*/ body { color: #000000; backg
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 03:18:49 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveVary: accept-language,accept-charsetAccept-Ranges: bytesContent-Language: enCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TIGOFkDFozZloVjVSUhqmScus6gWZrgfNHJ7%2BF9II6zvco2VKDb1qejr%2BeimlBeU4KiDgM0C%2BE6VSMDqRbPclamE0kYte6OOmctN6bkajJ0N5KgsSat2vGrrdkTt"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 87a36d7f5af00362-MIAalt-svc: h3=":443"; ma=86400Data Raw: 34 39 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 25 35 62 6e 6f 25 32 30 61 64 64 72 65 73 73 25 32 30 67 69 76 65 6e 25 35 64 22 20 2f 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0d 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0d 0a 3c 70 3e 0d 0a 0d 0a 0d 0a 20 20 20 20 54 68 65 20 72 65 71 75 65 Data Ascii: 49f<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><title>Object not found!</title><link rev="made" href="mailto:%5bno%20address%20given%5d" /><style type="text/css"><!--/*--><![CDATA[/*><!--*/ body { color: #000000; background-colo
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 03:18:59 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveVary: accept-language,accept-charsetAccept-Ranges: bytesContent-Language: enCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cFLRbuteLRdnhvDtxHvPmFdT2HlqL9bkhBbAxD8NIl7TCzVtmxSYxb97HQcpj9QtyEFWqTH7O%2FkYjPn3aA90PYT1XwkTQJkabEwuvrX6PbluBxeCfGZMvKt%2BNrDs"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 87a36dbb1d08a533-MIAalt-svc: h3=":443"; ma=86400Data Raw: 34 39 66 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 0d 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 76 3d 22 6d 61 64 65 22 20 68 72 65 66 3d 22 6d 61 69 6c 74 6f 3a 25 35 62 6e 6f 25 32 30 61 64 64 72 65 73 73 25 32 30 67 69 76 65 6e 25 35 64 22 20 2f 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b 43 44 41 54 41 5b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0d 0a 20 20 20 20 62 6f 64 79 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 20 7d 0d 0a 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 43 43 3b 20 7d 0d 0a 20 20 20 20 70 2c 20 61 64 64 72 65 73 73 20 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 33 65 6d 3b 7d 0d 0a 20 20 20 20 73 70 61 6e 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 65 72 3b 7d 0d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4f 62 6a 65 63 74 20 6e 6f 74 20 66 6f 75 6e 64 21 3c 2f 68 31 3e 0d 0a 3c 70 3e 0d 0a 0d 0a 0d 0a 20 20 20 20 54 68 65 20 72 65 71 75 65 73 74 Data Ascii: 49f<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><title>Object not found!</title><link rev="made" href="mailto:%5bno%20address%20given%5d" /><style type="text/css"><!--/*--><![CDATA[/*><!--*/ body { color: #000000; background-
Source: MsintoRefcommonsvc.exe, 00000005.00000002.1885029457.00000000038EE000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 0000001F.00000002.1984917636.00000000036FF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: conhost.exe, 0000001F.00000002.1984917636.00000000038D0000.00000004.00000800.00020000.00000000.sdmp, conhost.exe, 0000001F.00000002.1984917636.00000000036FF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://taketa.top
Source: conhost.exe, 0000001F.00000002.1984917636.00000000036FF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://taketa.top/
Source: conhost.exe, 0000001F.00000002.1984917636.00000000036FF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://taketa.top/JavascriptPollMultigeneratordatalife.php

System Summary
barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\SysWOW64\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_00126FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW, 0_2_00126FAA
Creates files inside the system directory
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: c:\Windows\System32\CSCE4B7E694399A43119EA8A93F1E7760F4.TMP Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: c:\Windows\System32\SecurityHealthSystray.exe Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File deleted: C:\Windows\System32\CSCE4B7E694399A43119EA8A93F1E7760F4.TMP Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_0012848E 0_2_0012848E
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_00134088 0_2_00134088
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_001300B7 0_2_001300B7
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_001240FE 0_2_001240FE
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_00137153 0_2_00137153
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_001451C9 0_2_001451C9
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_001362CA 0_2_001362CA
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_001232F7 0_2_001232F7
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_001343BF 0_2_001343BF
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_0012C426 0_2_0012C426
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_0014D440 0_2_0014D440
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_0012F461 0_2_0012F461
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_001377EF 0_2_001377EF
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_0012286B 0_2_0012286B
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_0014D8EE 0_2_0014D8EE
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_0012E9B7 0_2_0012E9B7
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_001519F4 0_2_001519F4
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_00136CDC 0_2_00136CDC
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_00133E0B 0_2_00133E0B
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_00144F9A 0_2_00144F9A
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_0012EFE2 0_2_0012EFE2
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Code function: 5_2_00007FFD9BAA0D48 5_2_00007FFD9BAA0D48
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Code function: 5_2_00007FFD9BAA0E43 5_2_00007FFD9BAA0E43
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Code function: 5_2_00007FFD9BE4A701 5_2_00007FFD9BE4A701
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Code function: 5_2_00007FFD9BE49951 5_2_00007FFD9BE49951
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Code function: 31_2_00007FFD9BAD0D48 31_2_00007FFD9BAD0D48
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Code function: 31_2_00007FFD9BAD0E43 31_2_00007FFD9BAD0E43
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Code function: 31_2_00007FFD9BE74F69 31_2_00007FFD9BE74F69
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Code function: 32_2_00007FFD9BAC0D48 32_2_00007FFD9BAC0D48
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Code function: 32_2_00007FFD9BAC0E43 32_2_00007FFD9BAC0E43
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Code function: 33_2_00007FFD9BAD1865 33_2_00007FFD9BAD1865
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Code function: 33_2_00007FFD9BAB06AE 33_2_00007FFD9BAB06AE
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Code function: 33_2_00007FFD9BAB0456 33_2_00007FFD9BAB0456
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Code function: 33_2_00007FFD9BAB088F 33_2_00007FFD9BAB088F
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Code function: 33_2_00007FFD9BAA0D48 33_2_00007FFD9BAA0D48
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Code function: 33_2_00007FFD9BAA0E43 33_2_00007FFD9BAA0E43
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Code function: 34_2_00007FFD9BAD06AE 34_2_00007FFD9BAD06AE
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Code function: 34_2_00007FFD9BAD0456 34_2_00007FFD9BAD0456
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Code function: 34_2_00007FFD9BAD088F 34_2_00007FFD9BAD088F
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Code function: 34_2_00007FFD9BAC0D48 34_2_00007FFD9BAC0D48
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Code function: 34_2_00007FFD9BAC0E43 34_2_00007FFD9BAC0E43
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Code function: 34_2_00007FFD9BAF1865 34_2_00007FFD9BAF1865
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Code function: 35_2_00007FFD9BAB0D48 35_2_00007FFD9BAB0D48
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Code function: 35_2_00007FFD9BAB0E43 35_2_00007FFD9BAB0E43
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Code function: 36_2_00007FFD9BAC06AE 36_2_00007FFD9BAC06AE
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Code function: 36_2_00007FFD9BAC0501 36_2_00007FFD9BAC0501
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Code function: 36_2_00007FFD9BAC088F 36_2_00007FFD9BAC088F
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Code function: 36_2_00007FFD9BAE1865 36_2_00007FFD9BAE1865
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Code function: 36_2_00007FFD9BAB0D48 36_2_00007FFD9BAB0D48
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Code function: 36_2_00007FFD9BAB0E43 36_2_00007FFD9BAB0E43
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\Desktop\iJCvyQAH.log 2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: String function: 0013EC50 appears 56 times
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: String function: 0013F5F0 appears 31 times
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: String function: 0013EB78 appears 39 times
Sample file is different than original file name gathered from version info
Source: yX8787W7de.exe, 00000000.00000003.1640565455.0000000006B27000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs yX8787W7de.exe
Source: yX8787W7de.exe, 00000000.00000003.1639922058.0000000006213000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs yX8787W7de.exe
Source: yX8787W7de.exe Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs yX8787W7de.exe
Uses 32bit PE files
Source: yX8787W7de.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: MsintoRefcommonsvc.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SwjJGfgwqbpLdPqvPFcqLsY.exe.5.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, Lb8dIiZQrm4v1PoKFpp.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, Lb8dIiZQrm4v1PoKFpp.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, Lb8dIiZQrm4v1PoKFpp.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, Lb8dIiZQrm4v1PoKFpp.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, Lb8dIiZQrm4v1PoKFpp.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, Lb8dIiZQrm4v1PoKFpp.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, Lb8dIiZQrm4v1PoKFpp.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, Lb8dIiZQrm4v1PoKFpp.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.spre.troj.expl.evad.winEXE@52/31@1/1
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_00126C74 GetLastError,FormatMessageW, 0_2_00126C74
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_0013A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree, 0_2_0013A6C2
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe File created: C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe File created: C:\Users\user\Desktop\iJCvyQAH.log Jump to behavior
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Mutant created: NULL
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-laCdvL0mPwbWT7P7uNow
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5848:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5852:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7432:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3052:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7612:120:WilError_03
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe File created: C:\Users\user\AppData\Local\Temp\i0e0ny4g Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\fontrefcrt\YPm3Ri0zuGSw0d5cA9MOsCVgRsbtCEjXWkwqUVDQU6Ex.bat" "
Source: C:\Users\user\Desktop\yX8787W7de.exe Command line argument: sfxname 0_2_0013DF1E
Source: C:\Users\user\Desktop\yX8787W7de.exe Command line argument: sfxstime 0_2_0013DF1E
Source: C:\Users\user\Desktop\yX8787W7de.exe Command line argument: STARTDLG 0_2_0013DF1E
Source: yX8787W7de.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: yX8787W7de.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Users\user\Desktop\yX8787W7de.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: yX8787W7de.exe ReversingLabs: Detection: 79%
Source: yX8787W7de.exe Virustotal: Detection: 56%
Source: C:\Users\user\Desktop\yX8787W7de.exe File read: C:\Users\user\Desktop\yX8787W7de.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\yX8787W7de.exe "C:\Users\user\Desktop\yX8787W7de.exe"
Source: C:\Users\user\Desktop\yX8787W7de.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\fontrefcrt\JfSdr.vbe"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\fontrefcrt\YPm3Ri0zuGSw0d5cA9MOsCVgRsbtCEjXWkwqUVDQU6Ex.bat" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\fontrefcrt\MsintoRefcommonsvc.exe "C:\fontrefcrt/MsintoRefcommonsvc.exe"
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SystemSettingsS" /sc MINUTE /mo 6 /tr "'C:\Recovery\SystemSettings.exe'" /f
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SystemSettings" /sc ONLOGON /tr "'C:\Recovery\SystemSettings.exe'" /rl HIGHEST /f
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SystemSettingsS" /sc MINUTE /mo 14 /tr "'C:\Recovery\SystemSettings.exe'" /rl HIGHEST /f
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i0e0ny4g\i0e0ny4g.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4FAE.tmp" "c:\Windows\System32\CSCE4B7E694399A43119EA8A93F1E7760F4.TMP"
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SwjJGfgwqbpLdPqvPFcqLsYS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe'" /f
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SwjJGfgwqbpLdPqvPFcqLsY" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe'" /rl HIGHEST /f
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SwjJGfgwqbpLdPqvPFcqLsYS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe'" /rl HIGHEST /f
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe'" /f
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe'" /rl HIGHEST /f
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe'" /rl HIGHEST /f
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\fontrefcrt\WmiPrvSE.exe'" /f
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\fontrefcrt\WmiPrvSE.exe'" /rl HIGHEST /f
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\fontrefcrt\WmiPrvSE.exe'" /rl HIGHEST /f
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SwjJGfgwqbpLdPqvPFcqLsYS" /sc MINUTE /mo 8 /tr "'C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe'" /rl HIGHEST /f
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\wNNbKC3aho.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: unknown Process created: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe "C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe"
Source: unknown Process created: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe "C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe"
Source: unknown Process created: C:\fontrefcrt\MsintoRefcommonsvc.exe C:\fontrefcrt\MsintoRefcommonsvc.exe
Source: unknown Process created: C:\fontrefcrt\MsintoRefcommonsvc.exe C:\fontrefcrt\MsintoRefcommonsvc.exe
Source: unknown Process created: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe
Source: unknown Process created: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\s4Al4mMfKa.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\yX8787W7de.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\fontrefcrt\JfSdr.vbe" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\fontrefcrt\YPm3Ri0zuGSw0d5cA9MOsCVgRsbtCEjXWkwqUVDQU6Ex.bat" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\fontrefcrt\MsintoRefcommonsvc.exe "C:\fontrefcrt/MsintoRefcommonsvc.exe" Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i0e0ny4g\i0e0ny4g.cmdline" Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i0e0ny4g\i0e0ny4g.cmdline" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4FAE.tmp" "c:\Windows\System32\CSCE4B7E694399A43119EA8A93F1E7760F4.TMP" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\s4Al4mMfKa.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: <pi-ms-win-core-localization-l1-2-1.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: version.dll Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: wldp.dll Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: profapi.dll Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: amsi.dll Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: userenv.dll Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: propsys.dll Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: dlnashext.dll Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: wpdshext.dll Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: edputil.dll Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: netutils.dll Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: slc.dll Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: sppc.dll Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll
Source: C:\Windows\System32\PING.EXE Section loaded: dnsapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: rasadhlp.dll
Source: C:\Windows\System32\PING.EXE Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: mscoree.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: apphelp.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: version.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: ktmw32.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: rasman.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: rtutils.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: mswsock.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: winhttp.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: winnsi.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: propsys.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: dlnashext.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: wpdshext.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: edputil.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: urlmon.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: iertutil.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: srvcli.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: netutils.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: wintypes.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: appresolver.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: slc.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: userenv.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: sppc.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: mscoree.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: version.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Section loaded: sspicli.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: mscoree.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: kernel.appcore.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: version.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: uxtheme.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: windows.storage.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: wldp.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: profapi.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: cryptsp.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: rsaenh.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: cryptbase.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: sspicli.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: mscoree.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: kernel.appcore.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: version.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: uxtheme.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: windows.storage.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: wldp.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: profapi.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: cryptsp.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: rsaenh.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: cryptbase.dll
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Section loaded: sspicli.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Section loaded: mscoree.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Section loaded: apphelp.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Section loaded: kernel.appcore.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Section loaded: version.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Section loaded: uxtheme.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Section loaded: windows.storage.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Section loaded: wldp.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Section loaded: profapi.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Section loaded: cryptsp.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Section loaded: rsaenh.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Section loaded: cryptbase.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Section loaded: sspicli.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Section loaded: mscoree.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Section loaded: kernel.appcore.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Section loaded: version.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Section loaded: uxtheme.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Section loaded: windows.storage.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Section loaded: wldp.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Section loaded: profapi.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Section loaded: cryptsp.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Section loaded: rsaenh.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Section loaded: cryptbase.dll
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: netutils.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: ntdsapi.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\w32tm.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\yX8787W7de.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Directory created: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Directory created: C:\Program Files\Internet Explorer\en-US\31d454e2f3d20a Jump to behavior
Source: yX8787W7de.exe Static file information: File size 2010836 > 1048576
Source: yX8787W7de.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: yX8787W7de.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: yX8787W7de.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: yX8787W7de.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: yX8787W7de.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: yX8787W7de.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: yX8787W7de.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: yX8787W7de.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: yX8787W7de.exe
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\i0e0ny4g\i0e0ny4g.pdb source: MsintoRefcommonsvc.exe, 00000005.00000002.1885029457.00000000038EE000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: conhost.exe, 0000001F.00000002.1998443695.000000001BDE3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: conhost.exe, 0000001F.00000002.1998443695.000000001BDE3000.00000004.00000020.00020000.00000000.sdmp
Source: yX8787W7de.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: yX8787W7de.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: yX8787W7de.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: yX8787W7de.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: yX8787W7de.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, Lb8dIiZQrm4v1PoKFpp.cs .Net Code: Type.GetTypeFromHandle(kDrJNDJ0MHwHDFF2LVY.N1ORfbhMA1Z(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(kDrJNDJ0MHwHDFF2LVY.N1ORfbhMA1Z(16777245)),Type.GetTypeFromHandle(kDrJNDJ0MHwHDFF2LVY.N1ORfbhMA1Z(16777259))})
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, Lb8dIiZQrm4v1PoKFpp.cs .Net Code: Type.GetTypeFromHandle(kDrJNDJ0MHwHDFF2LVY.N1ORfbhMA1Z(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(kDrJNDJ0MHwHDFF2LVY.N1ORfbhMA1Z(16777245)),Type.GetTypeFromHandle(kDrJNDJ0MHwHDFF2LVY.N1ORfbhMA1Z(16777259))})
Compiles C# or VB.Net code
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i0e0ny4g\i0e0ny4g.cmdline"
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i0e0ny4g\i0e0ny4g.cmdline" Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i0e0ny4g\i0e0ny4g.cmdline" Jump to behavior
File is packed with WinRar
Source: C:\Users\user\Desktop\yX8787W7de.exe File created: C:\fontrefcrt\__tmp_rar_sfx_access_check_4846859 Jump to behavior
PE file contains sections with non-standard names
Source: yX8787W7de.exe Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_0013F640 push ecx; ret 0_2_0013F653
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_0013EB78 push eax; ret 0_2_0013EB96
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Code function: 5_2_00007FFD9BAA4B60 push esp; retf 5_2_00007FFD9BAA4B63
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Code function: 5_2_00007FFD9BAA3734 pushad ; iretd 5_2_00007FFD9BAA3735
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Code function: 5_2_00007FFD9BAA596C push es; retf 5_2_00007FFD9BAA5987
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Code function: 5_2_00007FFD9BE4BDF8 push esi; retf 5_2_00007FFD9BE4BE0C
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Code function: 5_2_00007FFD9BE45582 push ss; iretd 5_2_00007FFD9BE45617
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Code function: 5_2_00007FFD9BE4B577 push edi; iretd 5_2_00007FFD9BE4B578
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Code function: 31_2_00007FFD9BAD4B60 push esp; retf 31_2_00007FFD9BAD4B63
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Code function: 31_2_00007FFD9BAD3734 pushad ; iretd 31_2_00007FFD9BAD3735
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Code function: 31_2_00007FFD9BAD596C push es; retf 31_2_00007FFD9BAD5987
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Code function: 32_2_00007FFD9BAC4B60 push esp; retf 32_2_00007FFD9BAC4B63
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Code function: 32_2_00007FFD9BAC3734 pushad ; iretd 32_2_00007FFD9BAC3735
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Code function: 32_2_00007FFD9BAC596C push es; retf 32_2_00007FFD9BAC5987
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Code function: 33_2_00007FFD9BAB61E2 push cs; ret 33_2_00007FFD9BAB621F
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Code function: 33_2_00007FFD9BAA4B60 push esp; retf 33_2_00007FFD9BAA4B63
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Code function: 33_2_00007FFD9BAA3734 pushad ; iretd 33_2_00007FFD9BAA3735
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Code function: 33_2_00007FFD9BAA596C push es; retf 33_2_00007FFD9BAA5987
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Code function: 34_2_00007FFD9BAD61E2 push cs; ret 34_2_00007FFD9BAD621F
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Code function: 34_2_00007FFD9BAC4B60 push esp; retf 34_2_00007FFD9BAC4B63
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Code function: 34_2_00007FFD9BAC3734 pushad ; iretd 34_2_00007FFD9BAC3735
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Code function: 34_2_00007FFD9BAC596C push es; retf 34_2_00007FFD9BAC5987
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Code function: 35_2_00007FFD9BAB4B60 push esp; retf 35_2_00007FFD9BAB4B63
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Code function: 35_2_00007FFD9BAB3734 pushad ; iretd 35_2_00007FFD9BAB3735
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Code function: 35_2_00007FFD9BAB596C push es; retf 35_2_00007FFD9BAB5987
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Code function: 36_2_00007FFD9BAC61E2 push cs; ret 36_2_00007FFD9BAC621F
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Code function: 36_2_00007FFD9BAB4B60 push esp; retf 36_2_00007FFD9BAB4B63
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Code function: 36_2_00007FFD9BAB3734 pushad ; iretd 36_2_00007FFD9BAB3735
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Code function: 36_2_00007FFD9BAB596C push es; retf 36_2_00007FFD9BAB5987
Source: MsintoRefcommonsvc.exe.0.dr Static PE information: section name: .text entropy: 7.446440922575369
Source: SwjJGfgwqbpLdPqvPFcqLsY.exe.5.dr Static PE information: section name: .text entropy: 7.446440922575369
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, i8MHTy5IUZXchyIkHoM.cs High entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'yPYFtYK47xE', 'mmCFW7bg6VW', 'oTfQ1eFcvAjPWeYZOkxv', 'LRHFkZFcQ5syrJf5qyo5', 'bPCwDBFcp1EP96pywLrn', 'rpB36oFc5bfDIsMruvNd', 'HFrGNOFci7wynK8etRNP'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, D9sVL9VYOoKcLa64l1l.cs High entropy of concatenated method names: 'LICVUshTpO', 'fWIYjmFsJ31Gp4AJAbh6', 'N75ktXFsZLHC8y6BXL1b', 'anubxHFsMI8f0nUkvD06', 'E9ivY6Fswpft8Sva1kSR', 'zbIl0vFszJsonEJcNGKo', 'EfdXhGF8C7WseKf1eNR7'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, cLLiHJUx6fDetmWNaKE.cs High entropy of concatenated method names: 'Dispose', 'DUIUYrl4aV', 'u2JU0QQcgH', 'Jb4UUc7w2k', 'q57YvPFLIWuoXeA3q49A', 'oSbjDfFL9yt28LAdiPqy', 'T5V7wvFL2V4XK609fVM4', 'a6qKXXFLZohdQg4rEdIW', 'e3C7bZFLMxtHfJA4fb1A', 'nIPVDBFLJ8yKXdsqYtUA'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, AuC9vOe6sFqHBNt43tA.cs High entropy of concatenated method names: 'k68S0E0yEc', 'VBAYFBFPai9sCiPK3hLp', 'nKdSfXFPLVRIIuy6FOBF', 'Rju8COFPdCkYlWIV0J6Q', 'kt5', 'PJFeoIRfex', 'ReadByte', 'get_CanRead', 'get_CanSeek', 'get_CanWrite'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, uwMIsmF0IVHZpv8PrHf.cs High entropy of concatenated method names: 'BuwFhmipqy', 'E7LFv2h1aZ', 'RMJFQIktac', 'vgYpB4Fg0mPh6DRAOOrv', 'JKRlIdFg4PtVKEobhZ97', 'GjBbymFgY16KZQjv4WR2', 'Ahlm8XFgUoMLTYQvtyBp', 'GKFtNTFghoHxSeYLTJkc', 'm6OBx5Fgvv3hjG20nYpi'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, FkykDdtlt3RckAZ1xhG.cs High entropy of concatenated method names: 'aZht4uG64F', 'c7GtYKXhl3', 'SXAt0t3dup', 'juiKdbFypLUdrHKD8l1y', 'B9xVJHFy5l5qx1J0D9Fs', 'G4iZGcFyvV3PxuaBctHC', 'FnEPZAFyQvLvTmRj55m6', 'RHZsKuFyixoP09fpp2df', 'jBNeAHFy6Ew3VIkEQ3Qc', 'kj6BRHFyXGLJFHkABd8f'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, Rp0ihpmPKMlOOyDDGim.cs High entropy of concatenated method names: 'thtWmJj82g', 'tIEWWrqTqd', 'NJPWfkTFxw', 'OSg9qkFNRSA2LfM3Zfto', 'H0H5JQFNmengNBySGuXI', 'T1XgHBFNC7uym3S9iIeu', 'g4HolBFNF2ta5YYg17Kx', 'BRBWxV84ox', 'ifghdUFNfUJOMrXlb1qc', 'JqybQnFNqSp1NBFdFrah'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, aQGccvNwdjIgwoYMEiu.cs High entropy of concatenated method names: 'a87bCruZsj', 'kVxbFDUd5M', 'Yd7', 'lvTbRZrpvk', 'EiSbmDNwnK', 'afqbWK1N8k', 'nwcbfUkajJ', 'MBlgCpFG7tP8qVJdLirA', 'dKBmZRFGHBk4pJPBdNAW', 'sqLrUIFGnksAT0VuvROx'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, oG2KJpqE5Ffil8OrnND.cs High entropy of concatenated method names: 'XXwqbFc7NN', 'JfrxGKFeeIKmUlo4JxXe', 'k5p9LpFeNwtX2OwUS5vh', 'cRcOtdFebOsP7wG4VM7q', 'hADCU7FeShJ8aGfndggk', 'lOjl6rFeySMFb1gMntXG', 'E94', 'P9X', 'vmethod_0', 'CdRFWicXVaD'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, DO2t60RfR2XgTQMBRrC.cs High entropy of concatenated method names: 'bwgRBgY9j4', 'O1pRtYsRJ9', 'Eu4R1lxYsy', 'exsRlnebMX', 'SJfax0FrlsIQoZPhVfS1', 'DSR00OFrtUMsDZBxhJUt', 'TJ7epXFr1A7ftCxWhnGY', 'bxPLdbFrxfyqgheoqtCT', 'BfRlkEFr4mRNxl9OwcVe', 'Tm61PBFrY5EpiYB70r92'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, nfG7DffHYnOReArO7DN.cs High entropy of concatenated method names: 'wpOfGgnGSb', 'bvm0X1FeCCHveSvHDRC6', 'r3og7tFbwP8LGj8REaHv', 'SOmmArFbzUV43L6Nm3hM', 'hLfwhTFeF2JsGlHnqS4g', 'U1J', 'P9X', 'j2yFWhF0WtQ', 'NPPFWvLWdB0', 'DKMFtBS7a9n'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, iaYXFhjlgvTwxL6B5PV.cs High entropy of concatenated method names: 'Xs6jbGlhAN', 'isOj4eDFOS', 'y8PjYmvYyT', 'MuHj0oDKGn', 'klsjUMhxSE', 'hDVjh7OLLt', 'n14jvrWJjR', 'LFOjQEiLb4', 'zqEjpYsyDD', 'EBuj5EpdSt'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, I5ND6dyPJv9U5fSS4bc.cs High entropy of concatenated method names: 'eSy2uOFAZhNK6wTWIqy9', 'aMMKXHFAMd4ZlJCYn048', 'YLEAfeFAJcja92jhR2MQ', 'MaSyurq4os', 'Mh9', 'method_0', 'FWJyIogGIu', 'y6gy9MhSID', 'mDyy2JoKqt', 'hYFyZTIeNW'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, zdnBb2BbysFyXAB2SfU.cs High entropy of concatenated method names: 't9yBSZoXU6', 'rSgByZCN0Z', 'Ux3IToFSHsWDGBFM93Ax', 'Bj9kLjFSneB532LNbdNq', 'tXcBUjFS79QSMCI8LV6Q', 'VehSEAFSsTmaqDUJm01b', 'yxymfkFS8xhgQsTixfoA', 'p6mSWqFSGEks0PiiWPdL', 'oNEdDrFSPHFdmbllHUp4'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, NoU9uRNnDjGBMU3eWRb.cs High entropy of concatenated method names: 'YF3NsvHyuS', 'SDmN8fqQoB', 'rUYNGod4Bl', 'EXGNP4SmOw', 'V2eNAP7aeX', 'rnK8EmFGefapmwwIvhBI', 'ioCLcFFGSWuSGLL4AZH1', 'OanH2fFGyrdEDl8QH3gt', 'ixTF91FGN7QlC6DVQLMv', 'j0EwJIFGb0uthdtcKMy5'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, LlmiaaFw5vkf1uI2WFd.cs High entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'fTGFtF27Vrb', 'tppFWFnnMPA', 'xPLiZlFg2h1WkJ64Rej9', 'UfA99YFgZ5m0kLiQMjus', 'IPOb56FgMmYBoDeRgylZ', 'INX3SXFgJaH6ZMS6JlGE'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, vyXf3ut7A1eNiF2hDQR.cs High entropy of concatenated method names: 'JSRt2c8HRV', 'hd6HgsF3UHfHcmbS0iW0', 'QFGrAoF3YAD9LG68O8pM', 'gjtglWF30TjSbWMIVJvV', 'JSJ8GTF3haachJ41OVOp', 'P9X', 'vmethod_0', 'bcrFWgyvftZ', 'imethod_0', 'Q2bIb4F31Vo5EOCL7cMq'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, l4YxQJSPv60jeyKi3Cc.cs High entropy of concatenated method names: 'v8pSuXNb1c', 'k6r', 'ueK', 'QH3', 'wx5SI962ou', 'Flush', 'GvQS9tgHvE', 'sOoS2YP6U0', 'Write', 'XPmSZv0WDh'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, UM9xxuFIqa7FAijmiUO.cs High entropy of concatenated method names: 'P9X', 'TP4F2kvWwA', 'coQFtCPDvSZ', 'imethod_0', 'd81FZOYtGo', 'i3u7G9FgGTWXLX0QpIaA', 'CLNZrbFgsoPRUNvaMpU0', 'zHiNpoFg8TvBKSYo4TXx', 'ux5vOaFgP67oiqr3ffRt', 'pDVnHHFgAo78DPdlHcgp'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, XliTLta3PNtHkmSBql7.cs High entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'L3oPugFuEJNcV1qf4wRp', 'SZD0AQFuoSgkennX53R7', 'uKuy5XFujPS0pSUY8wiU'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, leZj9MIbd0D3vevLXls.cs High entropy of concatenated method names: 'method_0', 'h59', 'R73', 'DIGISlr55r', 'CDlZM5F2elHaHK53jcwE', 'oQVkxwF2SnOvVO3Blhq8', 'gE7EfJF2y7FIj8Neovca', 'RbFaP4F23HPJTBoVDQB8', 'cq1qbxF2aoIEoI6EMHSb', 'vGkRiBF2LbAyAOc4JrKq'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, YST0BhBFTfLMUgDUTPd.cs High entropy of concatenated method names: 'UtxBm6kV9y', 'NqjBWitJFw', 'LHYBfGUvbW', 'ccZNE8FSmvuurd1pj3va', 'bMA8fXFSFtDM8BrJOygt', 'bx4cNrFSRqgYBSBD8WUR', 'gPxpIeFSWEFWvvMnWTQx', 'ge8b9qFSfwskWj51KGSY', 'oh9WQ0FSqLTnkGD4hHqt', 'jBBchvFSBdfIN5RXubEC'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, HhrWNMWK2fpm2NgJOhX.cs High entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'Uy8FtmelKSI', 'tppFWFnnMPA', 'Uq5WwIFNouY9iZFeoxsd', 'Lo5kpFFNj5qHmoPJ2f6y', 'rEURTiFNEIbEmD8LIN3x'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, TZsLZfd16BC61SSk9gw.cs High entropy of concatenated method names: 'k9rdE60HPB', 's8AH9dFIBTnppD45mWM3', 'Df6LvoFIt8h774RMDWEw', 'xNJ4M3FI1LlHIgNU1PKi', 'kQiOC4FIlSCuXAcPyBa0', 'IPy', 'method_0', 'method_1', 'method_2', 'vmethod_0'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, U8hbBi10Ip00baZdKYF.cs High entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'AFbZm2F3cGT2XFhv7nVd', 'wr4NwAF3Dd3rc21a4s00', 'OlEog5F3OVp03Pg277Fq', 'fSJ1hZQaMs'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, dFEVcOTb1D5Ls50Kop2.cs High entropy of concatenated method names: 'LvTTSTlicZ', 'EUmTy4cWOt', 'uEeT3kJrQX', 'yrBTahkHwx', 'vymTLNYsKD', 'FO1TdmERPe', 'KV1TTtN221', 'zBrTcaat2x', 'WtSTDNsfY1', 'mMUTOB3oCf'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, y0ZRH8S3hG81V9sFWdq.cs High entropy of concatenated method names: 'Close', 'qL6', 'EhXSLahHXR', 'fbWSdU3Iap', 'W9oSTrG4gK', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, ogCmltc3yXmTbx1gfX7.cs High entropy of concatenated method names: 'sX1chiF9DDZV0UM7Q0Il', 'U6roc0F9Om2bjJtwlwe4', 'KDB4WuF9TI8aoxFNcGhV', 'GbarTwF9cZwDDORg2Yp9', 'U987fsF9L65XRDcIPwZT', 'abdZMDF93S3OkSHf9cjt', 'm9BgYSF9ak0So3vqCa4d'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, vhW8De5ri7L0uBXZgxu.cs High entropy of concatenated method names: 'bOV5acULf9', 'JgPMl8FTz2NLlw5Fl7pO', 'dcmY7SFTJoOk4ZxRrUAs', 'qmUQtDFTwgkUx08sNswv', 'OmHPaNFcCNQnN7mhJGGP', 'g255NeEk1T', 'l7X5bN2ald', 'oNr5eOJbnf', 'SXH7jAFT2XXsxgYA4uBh', 'mHwQaEFTZDqu3xKQYust'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, ipZ7PHdnIe369T70yff.cs High entropy of concatenated method names: 'sJAFtEfXRv9', 'wp1ds9Vwwd', 'dtOd8XiUKI', 'mD1dGwuuta', 'ucBfvVFIiShj5CuKuBJy', 'wx8S4fFI6FIsYXYHjfaq', 'gQfm4UFIXhyjtulD3xbE', 'UX5qb6FIo3otMYqSIW4N', 'W2KEiHFIj3rgCmO27uK8', 'qZGhrCFIEiVakCBPaRjX'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, o7QBsXRbkvfTHVqk6bs.cs High entropy of concatenated method names: 'P3kRDVx9Ms', 'F8jROQrAH0', 'kqxETYFrybJKQuNqnaWv', 'SjU5qWFreceoW9UVyvQi', 'pIyRgcFrSLQxDf6DTAuU', 'ntmhkhFr3ZWQ1mcQUTq2', 'l8yRscNqUX', 'JENSoxFrTJ3UIw8u8TFn', 'KXuITMFrcKVFq1qWrObj', 'cG7iTCFrLiEikDDCxNsT'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, T5JQRuWTsFGF6mVo462.cs High entropy of concatenated method names: 'lQiWJCClZl', 'M39KGmFbmd3V9JedngKM', 'RiK948FbFqSbpDkEGwXH', 'uM1rrSFbRJK3xSRgxbD4', 'Am2USnFbWcvmaGo10Lm6', 'iDq8UNFbtSsA5HxRNUI4', 'oHa1ScFbqm4iY8gI4FiQ', 'PbAxd5FbBslQQuZ5B65X', 'mFuADAFb17brMW9GxmLm', 'B8Gfq3KVel'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, hUeysmJTMMCuD9vbtDG.cs High entropy of concatenated method names: 'c4KFqe1xuwq', 'ng5FqSPwknt', 'yW4FqyKI01L', 'Ce1Fq3kZUlS', 'h3dFqaqYLOY', 'uB8FqLgeGw7', 'nlVFqddaGBK', 'zsywfKVUri', 'sDRFqTJ7bR0', 'modFqcEP3UX'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, aYryTSUoVJqCteKVAgg.cs High entropy of concatenated method names: 'Dxh5YhWTlQ', 'oDf50iMM52', 'LAA7vsFTcWkeTegZ3jO0', 'CVZv2xFTdAPuj9rL5LGU', 'YbYhwGFTTtphh3G4K7wc', 'PuO5yVFTDwZDhhuyPXUh', 'ILKPSCFTOA9DiNjljsdU', 'aiB556ecDt', 'NKqnU3FTnHWZDoCv8Al6', 'qWyk0LFT70w08y85cEsJ'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, h2qYPjB5wpqUvZLVs9w.cs High entropy of concatenated method names: 'm5aBrWXGbv', 'tsOHAoFSdGyGUrbufcZ9', 'EyLK1HFSTDgDy9qt1Ufs', 'VjPFeEFSavnDCBjP2viK', 'XTJBdwFSLRoKuWJqmHFO', 'd5oHXKFScYByyrNpnEf5', 'l5aTrWFSDHxfeqfvQQd6', 'EC7B6SHRNb', 'u8nBXpI018', 'IQpBo7hihD'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, Glrptntv08UUWSF53LF.cs High entropy of concatenated method names: 'k7ati9w0vV', 'c8H2ATFyytbfHRgMHK1j', 'GKHKorFyetAy6eftd3Ti', 'TNSY4GFySyAmYMQo7GCn', 'HBJyJ3Fy3NPLAUap81iQ', 'LU1tpbkXhC', 'WZuUjkFygRskAQ2ERH6E', 'Rkvd3DFyrBODuWpWOJ9y', 'OrRnLDFyV2obSrk2dQID', 'dl58pFFyKuhYlXSEtpZU'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, o1oYKWid2KpX1FvrONH.cs High entropy of concatenated method names: 'N2N', 'HZZFtUnfp3N', 'mTIicQJpJt', 'ThEFthyai0i', 'J6R3SbFDfAtT83eJRN6i', 'vj8fQ2FDqb4fje6Exa72', 'N8CVIjFDmtD0A7xdnccG', 'XvoFYUFDWQBPQxUywDvx', 'L83q5ZFDBQgoPER7gAHi', 'XCjJTfFDt9vwPA2cO0s1'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, TRm9WYILYoLflnXClmm.cs High entropy of concatenated method names: 'LsNFtkPbFsZ', 'Nk8FqKRgeP3', 'ytoTnqFZBF59dEh8pKoW', 'F4cSclFZfTjBBRSyhPcW', 'VYwY8AFZqbZbHd0Sl7wk', 'wG04XIFZxGFOEpojA68C', 'hKthmoFZ1MPxrL1xNMes', 'tEk6HvFZldlBN2xpgtjj', 'qtjgUOFZ4iu6Bb9TrGRU', 'imethod_0'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, UcGflgBDT3lsQIJRV0o.cs High entropy of concatenated method names: 'nsHB2JaU3D', 'B97BZSsdd1', 'LnkGGPFyWajv91KqHjhW', 'GRvdjrFyRBX9oiVYtcub', 'db71vvFyme8GQQbJBXhT', 'jsskJAFyfrpXQf1wjpGO', 'weKBH1LHME', 'lGVBn9aKfs', 'oOHB7HEkJe', 'k9JBsUyOpd'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, RKIDm31jt3nbX5Wu9NT.cs High entropy of concatenated method names: 'sQ5U52FLbp01haYDFrcS', 'IAI25PFLVpj1KOrqdgka', 'CJr0vRFLN2hSPQDRTiqa', 'o5L0wyVt0e', 'tAJ0GeFLSysc3DB2JQWv', 'I7ZWbRFLyGE0a0PjEqLm', 'QQvxviFL34fVmHbnBn9Z', 'MDXvb6FLaPwKnkuONyaw', 'QihUFE6Niw', 'JCojaRFLc8LyKwgq4pM4'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, fX8eQwiGCO6SdHJqcBH.cs High entropy of concatenated method names: 'OKMFtvnjs5T', 'LZGiAI7IKZ', 'QmUFtQ3vdQ5', 'T7UaVPFDvMHhOrIgdJEU', 'tTsyYvFDQYnhZFlVCdKH', 'NFi66WFDUQDlAwCy8biO', 'DJQqVdFDhDBHjPfZp21a', 'byGUyIFDpCIpJmIwhYVO', 'xQXyU8FD5I1CqRlQYLAU', 'erqZaWFDiLnTbgvuxxVr'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, FrEqMemkBngvOql2XZc.cs High entropy of concatenated method names: 'fiTmOoDbMD', 'je2mHdF193', 'q5tmnJwMkt', 'rSAP8nFVT3FbMIUqJme0', 'mdxZOtFVcNV4q4MKGvjY', 'S73i1gFVLuUs2cCAEtdj', 'aZgpRHFVdRZG2nwPRj1N', 'BhRmrJZfSK', 'yZKmVusUgO', 'zTSmNYhlnd'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, n51JElzTmUmkggO9LA.cs High entropy of concatenated method names: 'tw0FFXXuJ2', 'bnsFmS0TNr', 'ahSFWWZ3xM', 'GENFfDLhAx', 'PMOFqgE6Jp', 'k27FBigkJa', 'tyPF1TwqKq', 'CuduQmFgmokVcBJrYxDX', 'woYjhYFgWlA7B0cXF4C9', 'VMdfjQFgfsvRHFMcNrZo'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, YXAOeSKjqyIxbBq3IcE.cs High entropy of concatenated method names: 'eHtKK5JaCB', 'DupKkx2FOb', 'IfLKgQCaSn', 'JhCKr724v0', 'e1EKVwflY7', 'ti4aQCFnLKMmK2KSh2vi', 'WPVnVwFn3jLZaMCnHwgB', 'XbfRMnFnaONBXIV4AFXS', 'nRqJp6FndSunhXyQ5uQr', 'qHs4xYFnTML2uAPOWFWM'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, D2p9XAqyRSObWLQZe0B.cs High entropy of concatenated method names: 'P83', 'KZ3', 'TH7', 'imethod_0', 'vmethod_0', 'gknFtlu7GB3', 'tppFWFnnMPA', 'dMvdhJFeaYvZ7YHeTOqi', 'OgP91TFeLF5NL3vJI3XA', 'U9rUxtFedqpxvf0m2k4X'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, no4PKlrwIkMZVpKKVjy.cs High entropy of concatenated method names: 'qYAVCCEO2n', 'i3gVFHY6HS', 'etKVRPliSX', 'je4VmwOOs6', 'KDiVWxudIt', 'Y7SVffXN7F', 'Si1cHVFscn1c3i9ahUMr', 'c80cFuFsd1gAMkZa4w06', 'pQ5AoJFsTFZTfJ1cvDyJ', 'O1NgL8FsDOpUsrboaaDc'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, EBqZ44fAx1Cx4xcMqDt.cs High entropy of concatenated method names: 'u2pfMMSIHr', 'qHXfJD5Z3P', 'SZLfwMrUtT', 'H9afzXTWPa', 'NIVqCwbAMq', 'MRrqF3H6fe', 'tToqRJO17P', 'WhifryFelTlyi5apqveC', 'qLqZqBFet6ABNSh4jjJj', 'ALOMoZFe1FqCy4pgaETt'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, LqXXCXbtkhyL3k8Wu7s.cs High entropy of concatenated method names: 'ASPblfPqml', 'olTbxDT1dY', 'method_0', 'method_1', 'I27', 'c6a', 'C5p', 'Ud8b4kjWvU', 'method_2', 'uc7'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, ELfSQutga90qN9hiPTZ.cs High entropy of concatenated method names: 'MMrtVmh4qw', 'IGBtNc3J07', 'bSmtbygvhw', 'dvJteQSfCV', 'Uf0tSfst4p', 'asvtyyOQqp', 'CbBxZZFyuyP8g6U1ohAR', 'pVUPeqFyIkJLfpFokAHD', 'j3yC97Fy9GwJIhsFYTS6', 'eYclNeFy2eJYfGo4oetw'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, d276UegDlySAk6ipgAK.cs High entropy of concatenated method names: 'VqfgJ2gI0K', 'MmrgzgvRnx', 'Jo8gHAVTpC', 'NX5gnRFHWr', 'IGeg73xr61', 'GmkgsOXh2d', 'wtwg8Akgok', 'akBgGlq7W3', 'g3kgPkmNYA', 'yAigA01y1G'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, HFpfHkVcEPMgdY0KgJk.cs High entropy of concatenated method names: 'CfFVORQb2C', 'moUVHEcPSj', 'MYlVn1jSNW', 'YpDV77QJnq', 'D4SVsZUSkf', 'q7oV8ZIrBJ', 'E2JVGDsinG', 'J9OVPWSUTC', 'xFdVAFarsR', 'zeZVux7Jt0'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, eCc9safhO5jkv3cSGMm.cs High entropy of concatenated method names: 'OgbfgafHZu', 'KhOfrCiC3J', 'nWwfVWcGtU', 'RdSpBZFb300tAWl6VVBM', 'xhO1HCFbaD5hxaVF70Dl', 'd8PbogFbS06F4wQbVjNb', 'A6wMkEFbyLq9AKrWLlql', 'M1nfjGHuvC', 'aiWfEoIjpg', 'EisVanFbblWFXBgWaVti'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, SFJ0Yp6hbywbZLCPU1g.cs High entropy of concatenated method names: 'WlMpu4FOlkEAIsLIDHeU', 'g6b8cTFOxtWYDTQ0hxAh', 'feacnaFOtfk25udhUHiA', 'DY6WLFFO102y2JvVAs0B', 'method_0', 'method_1', 'q3s6QvcnKO', 'Cu56pf1sIr', 'jqY65tZ0bf', 'TxL6igftkC'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, sOQSJw1RbCONc9XBNnw.cs High entropy of concatenated method names: 'Hn81WYab80', 'vZm1ftL3g7', 'w9T1qlbGRB', 'MRi1BH926E', 'qo41tUXMLC', 'NLE113e0sK', 'ekV1lM2Ck2', 'WY41xnMJN7', 'Owe14Dicsc', 'FN71Y85aWk'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, bBXk7o2bxZxi5i8NE3U.cs High entropy of concatenated method names: 'ffi2SIsTAF', 'xbC2ytDU0v', 'QX123Jk4qj', 'u832a8bFIF', 'Dispose', 'Bdj1sPFM0xPqnP9giqwe', 'X9RthoFMUgyJslaiWaid', 'GBKO0lFMhffE40QpxpAb', 'NIUUEkFMvt2xY1Q5x34l', 'cbBHVrFMQQlWUKIeMkCr'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, UtHdrj2YosutCLKVjcS.cs High entropy of concatenated method names: 'oNn2h0mtXJ', 's9C25IqHIl', 'SJZ2XXGRTE', 'OfT2ooww6m', 'O7n2j6Vq5W', 'xEQ2Ex0Oad', 'dB92K03sLH', 'Sic2k5L0If', 'Dispose', 'jEgNo3FMBsk81fRVog8N'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, nW5ZnUTZwIJ6JZfHIcM.cs High entropy of concatenated method names: 'UaJTJThv7i', 'm68TwOSTB6', 'hRuTz1umBY', 'E4EcCyTJ41', 'Na3cFcFDUN', 'L1ycRSNOGI', 'wACcmslEhy', 'veCcWYrmPI', 'yi5cfsQLqA', 'WZicqRBejW'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, Lb8dIiZQrm4v1PoKFpp.cs High entropy of concatenated method names: 'odwpDQFJmn9yZUtdDcnR', 'GQYFXFFJWYGZFErHRoij', 'sjfMIFtEuU', 'cCanUsFJtRm9gvDbUwbs', 'QttDgyFJ1Qiy0WMqEStN', 'RYaBqFFJl4cM5C6Pixau', 'XQIHvhFJxhLDvmHxhpee', 'owIdeCFJ482ZHcK7OC0T', 's1w0fxFJYku8eKtjt932', 'eQM7e5FJ0ehQ4Zjc9mj4'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, g3VvtZgmURJWyMLWjAV.cs High entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'SJwgfaEjZU', 'Write', 'qEngqFHjOJ', 'y1mgB34elA', 'Flush', 'vl7'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, RnCU5MFpcDgWsccjmZv.cs High entropy of concatenated method names: 'RTM', 'KZ3', 'H7p', 'eeS', 'imethod_0', 'XbG', 'yDIFBzX6etv', 'tppFWFnnMPA', 'n82YKKFgprXX8WI3mAiW', 'c29cqFFg589U3E4tEsE3'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, DMFUBvJprpZ6MX95NQt.cs High entropy of concatenated method names: 'Cu2JV2f5bA', 'LqOJNVUSJ7', 'V0eJbWuH5m', 'kbxJe0IASH', 'yxvJSCiNRk', 'HPZJySlHWX', 'ENTJ3b0G4P', 'MJBJaPcUPc', 'vRLJLvSJMQ', 'ngrJdy2w0C'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, XsNwZojAVEhLp21jheL.cs High entropy of concatenated method names: 'HmCjI18pHY', 'fKfj9pqCd8', 'zSBj2ALEic', 'B79jZBkKe8', 'UvDjMnr3ua', 'PIgSe2FHDg2lfrIxihG7', 'sLDvvDFHT6FIi80ehxeF', 'WI1qCBFHcvPMxHCTvXjl', 'PJBMZZFHOxrigkjIP7UH', 'VZ0jlXFHHHbi7J5vEkk8'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, scC9m8kb2G5L9TRMhiU.cs High entropy of concatenated method names: 'method_0', 'Q5LkS2gIBe', 'LWfky6gr0j', 'oNPk3ic7YH', 'GOZkaFojqc', 'ocrkLaETD3', 'Bg2kdO8aQc', 'ko1F7LF7q4uU2ICIx5RI', 'X8jkh5F7BtAlibv66G0c', 'gMEWVjF7tHT97L44JsUA'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, D1iQNZ6xCqtDlO26Eue.cs High entropy of concatenated method names: 'Rrr', 'y1x', 'JroFtX3jgfF', 'prCFtogCS3O', 'wBQkm1FDHG88TM0llMCQ', 'IEuv6SFDnIGLxtfKMbaR', 'H1w6cOFD7MV9oqZnYdYY', 'e7OZGQFDsewxWWkuVMkN', 'eHbIfgFD8tAKKkXhSujf', 'eU8s2TFDG1hJwY65jM3I'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, bkahGwRPJAf3nl0OqmU.cs High entropy of concatenated method names: 'HAYmBGFMYH', 'XO5N5DFr2Fqt4s0r0ycv', 'Ol6lvsFrZG1sZiG014QH', 'FIgZSoFrMioK1grwhG4n', 'aI3NK0FrJnLnpZRrLgfN', 'G1nUnmFrIKZ1D0lExB6p', 'r3oVtrFr9ambCeqH2A5e', 'BOPCTbFrwPIjq0qgX7ux', 'wOsmC209Tv', 'KBpmRBsoBU'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, IoVxrLKIFt7fXiO2BQQ.cs High entropy of concatenated method names: 'pmrK2il4gs', 'gSdKZSDsFF', 'QCKKMqYve5', 'luNFpGFnuVtV3fMpxIwH', 'i8U2UgFnP3Ue9Zwgj2EN', 'otUKkNFnAvIMyrKiTy8u', 'IqYbOPFnIiV1nHGZtuIE', 'EXQ1aVFn906W0jndHo3g', 'jLhL0uFn2wcB02PiE8hN'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, FspQ6oESkE0N7J4rQfO.cs High entropy of concatenated method names: 'fLyE3KjXoR', 'xJ2qfdFHzVBO3jWYApYU', 'pDYm0dFnCo6kBTtdSk58', 'i262DsFnFnrY46GSe6i7', 'vIWghQFnRgkcDbMQ86Ni'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, bk5JwiIkDZSiBcrm3L1.cs High entropy of concatenated method names: 'TCJFtKDL6TX', 'whcFq6ugZ2a', 'yQ8', 'K9m', 'GpJCvaF2VZ7hYOsm3c3F', 'R5IpdCF2gd1kf7gkCo1Q', 'k92AaiF2rP5PihDBDRxt', 'r8VX40F2NWMFrJvAnEkt'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, f4FS5rfyCG0BE2ExRgC.cs High entropy of concatenated method names: 'l29', 'P9X', 'vmethod_0', 'cmJFWxfZlfA', 'l29favHWCB', 'imethod_0', 'LyvNDcFbd1sWI3BZr3S7', 'PLTjCOFbTCxaDN2wayGf', 'v2DWR1FbcEmN68S7rkSd', 'P91k7gFbDgnEjwbFuvZY'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, IaFqGvr7qoMTj0vWCqI.cs High entropy of concatenated method names: 'WEqr81yMT2', 'MberGBn6FH', 'EBhrP5wk1s', 'Wb9TnuFs6RSRD0gmCNQs', 'ogb7X9FsXdiRreInpLBb', 'ML6jjqFsobJo2f4AbAYV', 'bf1xd7FsjMMRvHFKuxcZ', 'yUO1gcFsEIc2F7yFZS4e', 'PyIi9bFsKcWYv1nI1GO1', 'glmJ33Fsk0sIH8tDWghC'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, f4FUZyVtnmNWPJZGv5K.cs High entropy of concatenated method names: 'UcXVly93bv', 'H9lVxYGhTh', 'sY6V4LBiCD', 'SenugbFsGbC9KyyeaouX', 'YCJJVIFsPnsF0jOHMq9P', 'GxOZRsFsAr2dLk2YsHRP', 'EmqKrAFsu4mRgaIpNtA5', 'nmIq0lFsIAWK39FscZti', 'jFNs1dFs9D4okfqOAevN'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, oWMIeSVbARowYyO8CCL.cs High entropy of concatenated method names: 'DB4', 'method_0', 'method_1', 'method_2', 'method_3', 'method_4', 'method_5', 'A47', 'fC4', 'aK3'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, nimHOhqDR0XehhUMn1D.cs High entropy of concatenated method names: 'boMq2PFf1o', 'seaqZ90N2d', 'uL2qMecyHO', 'lJgIjuFewM9QScMDVjcM', 'vL9tX6FezCKspq19XrX5', 'OOHi4rFeMqpxMT6iyupS', 'yursa8FeJU5QxyrJSe3N', 'SYVqHfxkbm', 'wSsqnq2Os5', 'IgRq7b7OWI'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, d4DDcFB1YaeS5ymMq2O.cs High entropy of concatenated method names: 'ni7BxbmRSE', 'FFmB45wUFG', 'J3m6roFSYPLTdis0kOaM', 'EBBv1vFSxfTFMsDElaIf', 'R1dY4ZFS4DrWxUQ38v7a', 's7MPgCFS01jYQMaaAlAe', 'pMQsGOFSUDBibYsZrEWj', 'HL5J86FShawcDXC0uCMh', 'eZNMCXFSvYXF5e6yItGV', 'dWCE7CFSQluYbZ0rSt1r'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, B7swkY5d24qgw4JNMTX.cs High entropy of concatenated method names: 'iQd57yhWUd', 'PiW5sMLOcS', 'NZy584U091', 'X4auF2FctCnlo7GQwIT9', 'sCq3UMFc1AWEPgvuKqH7', 'c0up9uFcqjm5SMNYMK3H', 'ojNgaJFcBfnU0tvZdsRt', 'OGG5copb4i', 'Yju5DJgMC4', 'RfY5Oyq7sU'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, qsb7IV6F2wSBjePpK4D.cs High entropy of concatenated method names: 'rC9', 'method_0', 'gD1Ft5oX5Jg', 'MmxFtic2k7s', 'qwDP7SFDVE78WIihpT4v', 'N46MTHFDNtLnpIFmSUXs', 'tjfpIMFDbRfGw9ivExQA', 'J4kruxFDeX63OHadpheu', 'xIm8LXFDSJt86TayxHfM', 'bReQaLFDyGev0q6i6qOC'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, FBDnIjkxxqDhtGVx6Kr.cs High entropy of concatenated method names: 'nLNkYVBg1T', 'JuJk0AaSsV', 'rMlkUvxIhZ', 'eVskh86UI4', 'hEBkvkyEEo', 'O5QWyWFnw6BZIHYR1HAr', 'DEyfcuFnMaKrV4plHFGc', 'kq6xYBFnJM23ETZs5sje', 'EFJ3E8Fnz8igK6aHnWQW', 'X4263QF7COBi7Zlq8R2a'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, EdHrs5Riu05jhthKn9l.cs High entropy of concatenated method names: 'tHkRXqKx3Z', 'gXyRoq6276', 'yNTJJVFrX7fRvnnl88ru', 'V9AI9yFrivlevqDg23pP', 'PAskerFr6dJw3iKElp5I', 'U8xKS3FrobHkrwwfg7iF', 'R3fVEdFrjlUNHFtxiUsI', 'zqn3BsFrEQ1ovdiGNKCI', 'iOO8TxFrKhvbiqWswitP', 'VeUwH0FrkdnM3Z29N9vA'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, h0h4vuruufbah7wPSfo.cs High entropy of concatenated method names: 'K0Hr9Sk9AD', 'q3rr2abS8J', 'wJGrZ3GVkQ', 'prDrM3r0nb', 'wdvrJDVBiC', 'KFuts5FsVBiSk3QU7r2L', 'F5mAYAFsNJB3PahIeOHf', 'pJv2cIFsbN1MPwkbdlxh', 'blH2U7FseQVNMRErdy59', 'yfdKaoFsST8jq2J8s868'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, oQXbyMf1LcX9TnWRQFc.cs High entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'aTiFtfNqhuQ', 'tppFWFnnMPA', 'udv1OPFbUxWpPT9p81nI', 'OLduAyFbhkt949WfEMwt', 'PD0gdGFbvmj3HwfQVDE8', 'iOvSaWFbQO62XpLDWCol'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, hJrPErXYRO7mn0ciTTb.cs High entropy of concatenated method names: 'q5OjFL0h3k', 'FGZD2YFHh9a4WaDTOjNs', 'Q929sFFH0uEYQYdM8hCr', 'YEQs6jFHUeauAusAP7IN', 'yow53ZFHv90aqs9WigdM', 'wVoXU5XNl1', 'VXGXhFvij6', 'L2YXvJT7d2', 'PbKXQwNcbS', 'VNMXpQVnXI'
Source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, JvN7QYQTR4ll9U8FD3.cs High entropy of concatenated method names: 'MFfyxWVf5', 'oyyljwFkVg6DhPIw7fpj', 'fwC10vFkNRRJt2dKPUtT', 'INnm5YFkbPsaOla3rHXu', 'Eoh5E4F4i', 'poFiHqPmo', 'JUm6CYrrc', 'iDRXS1p1P', 'k3doM7ZY0', 'XA0jEvTmW'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, i8MHTy5IUZXchyIkHoM.cs High entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'yPYFtYK47xE', 'mmCFW7bg6VW', 'oTfQ1eFcvAjPWeYZOkxv', 'LRHFkZFcQ5syrJf5qyo5', 'bPCwDBFcp1EP96pywLrn', 'rpB36oFc5bfDIsMruvNd', 'HFrGNOFci7wynK8etRNP'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, D9sVL9VYOoKcLa64l1l.cs High entropy of concatenated method names: 'LICVUshTpO', 'fWIYjmFsJ31Gp4AJAbh6', 'N75ktXFsZLHC8y6BXL1b', 'anubxHFsMI8f0nUkvD06', 'E9ivY6Fswpft8Sva1kSR', 'zbIl0vFszJsonEJcNGKo', 'EfdXhGF8C7WseKf1eNR7'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, cLLiHJUx6fDetmWNaKE.cs High entropy of concatenated method names: 'Dispose', 'DUIUYrl4aV', 'u2JU0QQcgH', 'Jb4UUc7w2k', 'q57YvPFLIWuoXeA3q49A', 'oSbjDfFL9yt28LAdiPqy', 'T5V7wvFL2V4XK609fVM4', 'a6qKXXFLZohdQg4rEdIW', 'e3C7bZFLMxtHfJA4fb1A', 'nIPVDBFLJ8yKXdsqYtUA'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, AuC9vOe6sFqHBNt43tA.cs High entropy of concatenated method names: 'k68S0E0yEc', 'VBAYFBFPai9sCiPK3hLp', 'nKdSfXFPLVRIIuy6FOBF', 'Rju8COFPdCkYlWIV0J6Q', 'kt5', 'PJFeoIRfex', 'ReadByte', 'get_CanRead', 'get_CanSeek', 'get_CanWrite'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, uwMIsmF0IVHZpv8PrHf.cs High entropy of concatenated method names: 'BuwFhmipqy', 'E7LFv2h1aZ', 'RMJFQIktac', 'vgYpB4Fg0mPh6DRAOOrv', 'JKRlIdFg4PtVKEobhZ97', 'GjBbymFgY16KZQjv4WR2', 'Ahlm8XFgUoMLTYQvtyBp', 'GKFtNTFghoHxSeYLTJkc', 'm6OBx5Fgvv3hjG20nYpi'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, FkykDdtlt3RckAZ1xhG.cs High entropy of concatenated method names: 'aZht4uG64F', 'c7GtYKXhl3', 'SXAt0t3dup', 'juiKdbFypLUdrHKD8l1y', 'B9xVJHFy5l5qx1J0D9Fs', 'G4iZGcFyvV3PxuaBctHC', 'FnEPZAFyQvLvTmRj55m6', 'RHZsKuFyixoP09fpp2df', 'jBNeAHFy6Ew3VIkEQ3Qc', 'kj6BRHFyXGLJFHkABd8f'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, Rp0ihpmPKMlOOyDDGim.cs High entropy of concatenated method names: 'thtWmJj82g', 'tIEWWrqTqd', 'NJPWfkTFxw', 'OSg9qkFNRSA2LfM3Zfto', 'H0H5JQFNmengNBySGuXI', 'T1XgHBFNC7uym3S9iIeu', 'g4HolBFNF2ta5YYg17Kx', 'BRBWxV84ox', 'ifghdUFNfUJOMrXlb1qc', 'JqybQnFNqSp1NBFdFrah'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, aQGccvNwdjIgwoYMEiu.cs High entropy of concatenated method names: 'a87bCruZsj', 'kVxbFDUd5M', 'Yd7', 'lvTbRZrpvk', 'EiSbmDNwnK', 'afqbWK1N8k', 'nwcbfUkajJ', 'MBlgCpFG7tP8qVJdLirA', 'dKBmZRFGHBk4pJPBdNAW', 'sqLrUIFGnksAT0VuvROx'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, oG2KJpqE5Ffil8OrnND.cs High entropy of concatenated method names: 'XXwqbFc7NN', 'JfrxGKFeeIKmUlo4JxXe', 'k5p9LpFeNwtX2OwUS5vh', 'cRcOtdFebOsP7wG4VM7q', 'hADCU7FeShJ8aGfndggk', 'lOjl6rFeySMFb1gMntXG', 'E94', 'P9X', 'vmethod_0', 'CdRFWicXVaD'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, DO2t60RfR2XgTQMBRrC.cs High entropy of concatenated method names: 'bwgRBgY9j4', 'O1pRtYsRJ9', 'Eu4R1lxYsy', 'exsRlnebMX', 'SJfax0FrlsIQoZPhVfS1', 'DSR00OFrtUMsDZBxhJUt', 'TJ7epXFr1A7ftCxWhnGY', 'bxPLdbFrxfyqgheoqtCT', 'BfRlkEFr4mRNxl9OwcVe', 'Tm61PBFrY5EpiYB70r92'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, nfG7DffHYnOReArO7DN.cs High entropy of concatenated method names: 'wpOfGgnGSb', 'bvm0X1FeCCHveSvHDRC6', 'r3og7tFbwP8LGj8REaHv', 'SOmmArFbzUV43L6Nm3hM', 'hLfwhTFeF2JsGlHnqS4g', 'U1J', 'P9X', 'j2yFWhF0WtQ', 'NPPFWvLWdB0', 'DKMFtBS7a9n'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, iaYXFhjlgvTwxL6B5PV.cs High entropy of concatenated method names: 'Xs6jbGlhAN', 'isOj4eDFOS', 'y8PjYmvYyT', 'MuHj0oDKGn', 'klsjUMhxSE', 'hDVjh7OLLt', 'n14jvrWJjR', 'LFOjQEiLb4', 'zqEjpYsyDD', 'EBuj5EpdSt'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, I5ND6dyPJv9U5fSS4bc.cs High entropy of concatenated method names: 'eSy2uOFAZhNK6wTWIqy9', 'aMMKXHFAMd4ZlJCYn048', 'YLEAfeFAJcja92jhR2MQ', 'MaSyurq4os', 'Mh9', 'method_0', 'FWJyIogGIu', 'y6gy9MhSID', 'mDyy2JoKqt', 'hYFyZTIeNW'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, zdnBb2BbysFyXAB2SfU.cs High entropy of concatenated method names: 't9yBSZoXU6', 'rSgByZCN0Z', 'Ux3IToFSHsWDGBFM93Ax', 'Bj9kLjFSneB532LNbdNq', 'tXcBUjFS79QSMCI8LV6Q', 'VehSEAFSsTmaqDUJm01b', 'yxymfkFS8xhgQsTixfoA', 'p6mSWqFSGEks0PiiWPdL', 'oNEdDrFSPHFdmbllHUp4'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, NoU9uRNnDjGBMU3eWRb.cs High entropy of concatenated method names: 'YF3NsvHyuS', 'SDmN8fqQoB', 'rUYNGod4Bl', 'EXGNP4SmOw', 'V2eNAP7aeX', 'rnK8EmFGefapmwwIvhBI', 'ioCLcFFGSWuSGLL4AZH1', 'OanH2fFGyrdEDl8QH3gt', 'ixTF91FGN7QlC6DVQLMv', 'j0EwJIFGb0uthdtcKMy5'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, LlmiaaFw5vkf1uI2WFd.cs High entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'fTGFtF27Vrb', 'tppFWFnnMPA', 'xPLiZlFg2h1WkJ64Rej9', 'UfA99YFgZ5m0kLiQMjus', 'IPOb56FgMmYBoDeRgylZ', 'INX3SXFgJaH6ZMS6JlGE'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, vyXf3ut7A1eNiF2hDQR.cs High entropy of concatenated method names: 'JSRt2c8HRV', 'hd6HgsF3UHfHcmbS0iW0', 'QFGrAoF3YAD9LG68O8pM', 'gjtglWF30TjSbWMIVJvV', 'JSJ8GTF3haachJ41OVOp', 'P9X', 'vmethod_0', 'bcrFWgyvftZ', 'imethod_0', 'Q2bIb4F31Vo5EOCL7cMq'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, l4YxQJSPv60jeyKi3Cc.cs High entropy of concatenated method names: 'v8pSuXNb1c', 'k6r', 'ueK', 'QH3', 'wx5SI962ou', 'Flush', 'GvQS9tgHvE', 'sOoS2YP6U0', 'Write', 'XPmSZv0WDh'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, UM9xxuFIqa7FAijmiUO.cs High entropy of concatenated method names: 'P9X', 'TP4F2kvWwA', 'coQFtCPDvSZ', 'imethod_0', 'd81FZOYtGo', 'i3u7G9FgGTWXLX0QpIaA', 'CLNZrbFgsoPRUNvaMpU0', 'zHiNpoFg8TvBKSYo4TXx', 'ux5vOaFgP67oiqr3ffRt', 'pDVnHHFgAo78DPdlHcgp'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, XliTLta3PNtHkmSBql7.cs High entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'L3oPugFuEJNcV1qf4wRp', 'SZD0AQFuoSgkennX53R7', 'uKuy5XFujPS0pSUY8wiU'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, leZj9MIbd0D3vevLXls.cs High entropy of concatenated method names: 'method_0', 'h59', 'R73', 'DIGISlr55r', 'CDlZM5F2elHaHK53jcwE', 'oQVkxwF2SnOvVO3Blhq8', 'gE7EfJF2y7FIj8Neovca', 'RbFaP4F23HPJTBoVDQB8', 'cq1qbxF2aoIEoI6EMHSb', 'vGkRiBF2LbAyAOc4JrKq'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, YST0BhBFTfLMUgDUTPd.cs High entropy of concatenated method names: 'UtxBm6kV9y', 'NqjBWitJFw', 'LHYBfGUvbW', 'ccZNE8FSmvuurd1pj3va', 'bMA8fXFSFtDM8BrJOygt', 'bx4cNrFSRqgYBSBD8WUR', 'gPxpIeFSWEFWvvMnWTQx', 'ge8b9qFSfwskWj51KGSY', 'oh9WQ0FSqLTnkGD4hHqt', 'jBBchvFSBdfIN5RXubEC'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, HhrWNMWK2fpm2NgJOhX.cs High entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'Uy8FtmelKSI', 'tppFWFnnMPA', 'Uq5WwIFNouY9iZFeoxsd', 'Lo5kpFFNj5qHmoPJ2f6y', 'rEURTiFNEIbEmD8LIN3x'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, TZsLZfd16BC61SSk9gw.cs High entropy of concatenated method names: 'k9rdE60HPB', 's8AH9dFIBTnppD45mWM3', 'Df6LvoFIt8h774RMDWEw', 'xNJ4M3FI1LlHIgNU1PKi', 'kQiOC4FIlSCuXAcPyBa0', 'IPy', 'method_0', 'method_1', 'method_2', 'vmethod_0'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, U8hbBi10Ip00baZdKYF.cs High entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'AFbZm2F3cGT2XFhv7nVd', 'wr4NwAF3Dd3rc21a4s00', 'OlEog5F3OVp03Pg277Fq', 'fSJ1hZQaMs'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, dFEVcOTb1D5Ls50Kop2.cs High entropy of concatenated method names: 'LvTTSTlicZ', 'EUmTy4cWOt', 'uEeT3kJrQX', 'yrBTahkHwx', 'vymTLNYsKD', 'FO1TdmERPe', 'KV1TTtN221', 'zBrTcaat2x', 'WtSTDNsfY1', 'mMUTOB3oCf'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, y0ZRH8S3hG81V9sFWdq.cs High entropy of concatenated method names: 'Close', 'qL6', 'EhXSLahHXR', 'fbWSdU3Iap', 'W9oSTrG4gK', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, ogCmltc3yXmTbx1gfX7.cs High entropy of concatenated method names: 'sX1chiF9DDZV0UM7Q0Il', 'U6roc0F9Om2bjJtwlwe4', 'KDB4WuF9TI8aoxFNcGhV', 'GbarTwF9cZwDDORg2Yp9', 'U987fsF9L65XRDcIPwZT', 'abdZMDF93S3OkSHf9cjt', 'm9BgYSF9ak0So3vqCa4d'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, vhW8De5ri7L0uBXZgxu.cs High entropy of concatenated method names: 'bOV5acULf9', 'JgPMl8FTz2NLlw5Fl7pO', 'dcmY7SFTJoOk4ZxRrUAs', 'qmUQtDFTwgkUx08sNswv', 'OmHPaNFcCNQnN7mhJGGP', 'g255NeEk1T', 'l7X5bN2ald', 'oNr5eOJbnf', 'SXH7jAFT2XXsxgYA4uBh', 'mHwQaEFTZDqu3xKQYust'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, ipZ7PHdnIe369T70yff.cs High entropy of concatenated method names: 'sJAFtEfXRv9', 'wp1ds9Vwwd', 'dtOd8XiUKI', 'mD1dGwuuta', 'ucBfvVFIiShj5CuKuBJy', 'wx8S4fFI6FIsYXYHjfaq', 'gQfm4UFIXhyjtulD3xbE', 'UX5qb6FIo3otMYqSIW4N', 'W2KEiHFIj3rgCmO27uK8', 'qZGhrCFIEiVakCBPaRjX'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, o7QBsXRbkvfTHVqk6bs.cs High entropy of concatenated method names: 'P3kRDVx9Ms', 'F8jROQrAH0', 'kqxETYFrybJKQuNqnaWv', 'SjU5qWFreceoW9UVyvQi', 'pIyRgcFrSLQxDf6DTAuU', 'ntmhkhFr3ZWQ1mcQUTq2', 'l8yRscNqUX', 'JENSoxFrTJ3UIw8u8TFn', 'KXuITMFrcKVFq1qWrObj', 'cG7iTCFrLiEikDDCxNsT'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, T5JQRuWTsFGF6mVo462.cs High entropy of concatenated method names: 'lQiWJCClZl', 'M39KGmFbmd3V9JedngKM', 'RiK948FbFqSbpDkEGwXH', 'uM1rrSFbRJK3xSRgxbD4', 'Am2USnFbWcvmaGo10Lm6', 'iDq8UNFbtSsA5HxRNUI4', 'oHa1ScFbqm4iY8gI4FiQ', 'PbAxd5FbBslQQuZ5B65X', 'mFuADAFb17brMW9GxmLm', 'B8Gfq3KVel'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, hUeysmJTMMCuD9vbtDG.cs High entropy of concatenated method names: 'c4KFqe1xuwq', 'ng5FqSPwknt', 'yW4FqyKI01L', 'Ce1Fq3kZUlS', 'h3dFqaqYLOY', 'uB8FqLgeGw7', 'nlVFqddaGBK', 'zsywfKVUri', 'sDRFqTJ7bR0', 'modFqcEP3UX'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, aYryTSUoVJqCteKVAgg.cs High entropy of concatenated method names: 'Dxh5YhWTlQ', 'oDf50iMM52', 'LAA7vsFTcWkeTegZ3jO0', 'CVZv2xFTdAPuj9rL5LGU', 'YbYhwGFTTtphh3G4K7wc', 'PuO5yVFTDwZDhhuyPXUh', 'ILKPSCFTOA9DiNjljsdU', 'aiB556ecDt', 'NKqnU3FTnHWZDoCv8Al6', 'qWyk0LFT70w08y85cEsJ'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, h2qYPjB5wpqUvZLVs9w.cs High entropy of concatenated method names: 'm5aBrWXGbv', 'tsOHAoFSdGyGUrbufcZ9', 'EyLK1HFSTDgDy9qt1Ufs', 'VjPFeEFSavnDCBjP2viK', 'XTJBdwFSLRoKuWJqmHFO', 'd5oHXKFScYByyrNpnEf5', 'l5aTrWFSDHxfeqfvQQd6', 'EC7B6SHRNb', 'u8nBXpI018', 'IQpBo7hihD'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, Glrptntv08UUWSF53LF.cs High entropy of concatenated method names: 'k7ati9w0vV', 'c8H2ATFyytbfHRgMHK1j', 'GKHKorFyetAy6eftd3Ti', 'TNSY4GFySyAmYMQo7GCn', 'HBJyJ3Fy3NPLAUap81iQ', 'LU1tpbkXhC', 'WZuUjkFygRskAQ2ERH6E', 'Rkvd3DFyrBODuWpWOJ9y', 'OrRnLDFyV2obSrk2dQID', 'dl58pFFyKuhYlXSEtpZU'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, o1oYKWid2KpX1FvrONH.cs High entropy of concatenated method names: 'N2N', 'HZZFtUnfp3N', 'mTIicQJpJt', 'ThEFthyai0i', 'J6R3SbFDfAtT83eJRN6i', 'vj8fQ2FDqb4fje6Exa72', 'N8CVIjFDmtD0A7xdnccG', 'XvoFYUFDWQBPQxUywDvx', 'L83q5ZFDBQgoPER7gAHi', 'XCjJTfFDt9vwPA2cO0s1'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, TRm9WYILYoLflnXClmm.cs High entropy of concatenated method names: 'LsNFtkPbFsZ', 'Nk8FqKRgeP3', 'ytoTnqFZBF59dEh8pKoW', 'F4cSclFZfTjBBRSyhPcW', 'VYwY8AFZqbZbHd0Sl7wk', 'wG04XIFZxGFOEpojA68C', 'hKthmoFZ1MPxrL1xNMes', 'tEk6HvFZldlBN2xpgtjj', 'qtjgUOFZ4iu6Bb9TrGRU', 'imethod_0'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, UcGflgBDT3lsQIJRV0o.cs High entropy of concatenated method names: 'nsHB2JaU3D', 'B97BZSsdd1', 'LnkGGPFyWajv91KqHjhW', 'GRvdjrFyRBX9oiVYtcub', 'db71vvFyme8GQQbJBXhT', 'jsskJAFyfrpXQf1wjpGO', 'weKBH1LHME', 'lGVBn9aKfs', 'oOHB7HEkJe', 'k9JBsUyOpd'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, RKIDm31jt3nbX5Wu9NT.cs High entropy of concatenated method names: 'sQ5U52FLbp01haYDFrcS', 'IAI25PFLVpj1KOrqdgka', 'CJr0vRFLN2hSPQDRTiqa', 'o5L0wyVt0e', 'tAJ0GeFLSysc3DB2JQWv', 'I7ZWbRFLyGE0a0PjEqLm', 'QQvxviFL34fVmHbnBn9Z', 'MDXvb6FLaPwKnkuONyaw', 'QihUFE6Niw', 'JCojaRFLc8LyKwgq4pM4'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, fX8eQwiGCO6SdHJqcBH.cs High entropy of concatenated method names: 'OKMFtvnjs5T', 'LZGiAI7IKZ', 'QmUFtQ3vdQ5', 'T7UaVPFDvMHhOrIgdJEU', 'tTsyYvFDQYnhZFlVCdKH', 'NFi66WFDUQDlAwCy8biO', 'DJQqVdFDhDBHjPfZp21a', 'byGUyIFDpCIpJmIwhYVO', 'xQXyU8FD5I1CqRlQYLAU', 'erqZaWFDiLnTbgvuxxVr'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, FrEqMemkBngvOql2XZc.cs High entropy of concatenated method names: 'fiTmOoDbMD', 'je2mHdF193', 'q5tmnJwMkt', 'rSAP8nFVT3FbMIUqJme0', 'mdxZOtFVcNV4q4MKGvjY', 'S73i1gFVLuUs2cCAEtdj', 'aZgpRHFVdRZG2nwPRj1N', 'BhRmrJZfSK', 'yZKmVusUgO', 'zTSmNYhlnd'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, n51JElzTmUmkggO9LA.cs High entropy of concatenated method names: 'tw0FFXXuJ2', 'bnsFmS0TNr', 'ahSFWWZ3xM', 'GENFfDLhAx', 'PMOFqgE6Jp', 'k27FBigkJa', 'tyPF1TwqKq', 'CuduQmFgmokVcBJrYxDX', 'woYjhYFgWlA7B0cXF4C9', 'VMdfjQFgfsvRHFMcNrZo'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, YXAOeSKjqyIxbBq3IcE.cs High entropy of concatenated method names: 'eHtKK5JaCB', 'DupKkx2FOb', 'IfLKgQCaSn', 'JhCKr724v0', 'e1EKVwflY7', 'ti4aQCFnLKMmK2KSh2vi', 'WPVnVwFn3jLZaMCnHwgB', 'XbfRMnFnaONBXIV4AFXS', 'nRqJp6FndSunhXyQ5uQr', 'qHs4xYFnTML2uAPOWFWM'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, D2p9XAqyRSObWLQZe0B.cs High entropy of concatenated method names: 'P83', 'KZ3', 'TH7', 'imethod_0', 'vmethod_0', 'gknFtlu7GB3', 'tppFWFnnMPA', 'dMvdhJFeaYvZ7YHeTOqi', 'OgP91TFeLF5NL3vJI3XA', 'U9rUxtFedqpxvf0m2k4X'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, no4PKlrwIkMZVpKKVjy.cs High entropy of concatenated method names: 'qYAVCCEO2n', 'i3gVFHY6HS', 'etKVRPliSX', 'je4VmwOOs6', 'KDiVWxudIt', 'Y7SVffXN7F', 'Si1cHVFscn1c3i9ahUMr', 'c80cFuFsd1gAMkZa4w06', 'pQ5AoJFsTFZTfJ1cvDyJ', 'O1NgL8FsDOpUsrboaaDc'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, EBqZ44fAx1Cx4xcMqDt.cs High entropy of concatenated method names: 'u2pfMMSIHr', 'qHXfJD5Z3P', 'SZLfwMrUtT', 'H9afzXTWPa', 'NIVqCwbAMq', 'MRrqF3H6fe', 'tToqRJO17P', 'WhifryFelTlyi5apqveC', 'qLqZqBFet6ABNSh4jjJj', 'ALOMoZFe1FqCy4pgaETt'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, LqXXCXbtkhyL3k8Wu7s.cs High entropy of concatenated method names: 'ASPblfPqml', 'olTbxDT1dY', 'method_0', 'method_1', 'I27', 'c6a', 'C5p', 'Ud8b4kjWvU', 'method_2', 'uc7'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, ELfSQutga90qN9hiPTZ.cs High entropy of concatenated method names: 'MMrtVmh4qw', 'IGBtNc3J07', 'bSmtbygvhw', 'dvJteQSfCV', 'Uf0tSfst4p', 'asvtyyOQqp', 'CbBxZZFyuyP8g6U1ohAR', 'pVUPeqFyIkJLfpFokAHD', 'j3yC97Fy9GwJIhsFYTS6', 'eYclNeFy2eJYfGo4oetw'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, d276UegDlySAk6ipgAK.cs High entropy of concatenated method names: 'VqfgJ2gI0K', 'MmrgzgvRnx', 'Jo8gHAVTpC', 'NX5gnRFHWr', 'IGeg73xr61', 'GmkgsOXh2d', 'wtwg8Akgok', 'akBgGlq7W3', 'g3kgPkmNYA', 'yAigA01y1G'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, HFpfHkVcEPMgdY0KgJk.cs High entropy of concatenated method names: 'CfFVORQb2C', 'moUVHEcPSj', 'MYlVn1jSNW', 'YpDV77QJnq', 'D4SVsZUSkf', 'q7oV8ZIrBJ', 'E2JVGDsinG', 'J9OVPWSUTC', 'xFdVAFarsR', 'zeZVux7Jt0'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, eCc9safhO5jkv3cSGMm.cs High entropy of concatenated method names: 'OgbfgafHZu', 'KhOfrCiC3J', 'nWwfVWcGtU', 'RdSpBZFb300tAWl6VVBM', 'xhO1HCFbaD5hxaVF70Dl', 'd8PbogFbS06F4wQbVjNb', 'A6wMkEFbyLq9AKrWLlql', 'M1nfjGHuvC', 'aiWfEoIjpg', 'EisVanFbblWFXBgWaVti'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, SFJ0Yp6hbywbZLCPU1g.cs High entropy of concatenated method names: 'WlMpu4FOlkEAIsLIDHeU', 'g6b8cTFOxtWYDTQ0hxAh', 'feacnaFOtfk25udhUHiA', 'DY6WLFFO102y2JvVAs0B', 'method_0', 'method_1', 'q3s6QvcnKO', 'Cu56pf1sIr', 'jqY65tZ0bf', 'TxL6igftkC'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, sOQSJw1RbCONc9XBNnw.cs High entropy of concatenated method names: 'Hn81WYab80', 'vZm1ftL3g7', 'w9T1qlbGRB', 'MRi1BH926E', 'qo41tUXMLC', 'NLE113e0sK', 'ekV1lM2Ck2', 'WY41xnMJN7', 'Owe14Dicsc', 'FN71Y85aWk'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, bBXk7o2bxZxi5i8NE3U.cs High entropy of concatenated method names: 'ffi2SIsTAF', 'xbC2ytDU0v', 'QX123Jk4qj', 'u832a8bFIF', 'Dispose', 'Bdj1sPFM0xPqnP9giqwe', 'X9RthoFMUgyJslaiWaid', 'GBKO0lFMhffE40QpxpAb', 'NIUUEkFMvt2xY1Q5x34l', 'cbBHVrFMQQlWUKIeMkCr'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, UtHdrj2YosutCLKVjcS.cs High entropy of concatenated method names: 'oNn2h0mtXJ', 's9C25IqHIl', 'SJZ2XXGRTE', 'OfT2ooww6m', 'O7n2j6Vq5W', 'xEQ2Ex0Oad', 'dB92K03sLH', 'Sic2k5L0If', 'Dispose', 'jEgNo3FMBsk81fRVog8N'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, nW5ZnUTZwIJ6JZfHIcM.cs High entropy of concatenated method names: 'UaJTJThv7i', 'm68TwOSTB6', 'hRuTz1umBY', 'E4EcCyTJ41', 'Na3cFcFDUN', 'L1ycRSNOGI', 'wACcmslEhy', 'veCcWYrmPI', 'yi5cfsQLqA', 'WZicqRBejW'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, Lb8dIiZQrm4v1PoKFpp.cs High entropy of concatenated method names: 'odwpDQFJmn9yZUtdDcnR', 'GQYFXFFJWYGZFErHRoij', 'sjfMIFtEuU', 'cCanUsFJtRm9gvDbUwbs', 'QttDgyFJ1Qiy0WMqEStN', 'RYaBqFFJl4cM5C6Pixau', 'XQIHvhFJxhLDvmHxhpee', 'owIdeCFJ482ZHcK7OC0T', 's1w0fxFJYku8eKtjt932', 'eQM7e5FJ0ehQ4Zjc9mj4'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, g3VvtZgmURJWyMLWjAV.cs High entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'SJwgfaEjZU', 'Write', 'qEngqFHjOJ', 'y1mgB34elA', 'Flush', 'vl7'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, RnCU5MFpcDgWsccjmZv.cs High entropy of concatenated method names: 'RTM', 'KZ3', 'H7p', 'eeS', 'imethod_0', 'XbG', 'yDIFBzX6etv', 'tppFWFnnMPA', 'n82YKKFgprXX8WI3mAiW', 'c29cqFFg589U3E4tEsE3'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, DMFUBvJprpZ6MX95NQt.cs High entropy of concatenated method names: 'Cu2JV2f5bA', 'LqOJNVUSJ7', 'V0eJbWuH5m', 'kbxJe0IASH', 'yxvJSCiNRk', 'HPZJySlHWX', 'ENTJ3b0G4P', 'MJBJaPcUPc', 'vRLJLvSJMQ', 'ngrJdy2w0C'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, XsNwZojAVEhLp21jheL.cs High entropy of concatenated method names: 'HmCjI18pHY', 'fKfj9pqCd8', 'zSBj2ALEic', 'B79jZBkKe8', 'UvDjMnr3ua', 'PIgSe2FHDg2lfrIxihG7', 'sLDvvDFHT6FIi80ehxeF', 'WI1qCBFHcvPMxHCTvXjl', 'PJBMZZFHOxrigkjIP7UH', 'VZ0jlXFHHHbi7J5vEkk8'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, scC9m8kb2G5L9TRMhiU.cs High entropy of concatenated method names: 'method_0', 'Q5LkS2gIBe', 'LWfky6gr0j', 'oNPk3ic7YH', 'GOZkaFojqc', 'ocrkLaETD3', 'Bg2kdO8aQc', 'ko1F7LF7q4uU2ICIx5RI', 'X8jkh5F7BtAlibv66G0c', 'gMEWVjF7tHT97L44JsUA'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, D1iQNZ6xCqtDlO26Eue.cs High entropy of concatenated method names: 'Rrr', 'y1x', 'JroFtX3jgfF', 'prCFtogCS3O', 'wBQkm1FDHG88TM0llMCQ', 'IEuv6SFDnIGLxtfKMbaR', 'H1w6cOFD7MV9oqZnYdYY', 'e7OZGQFDsewxWWkuVMkN', 'eHbIfgFD8tAKKkXhSujf', 'eU8s2TFDG1hJwY65jM3I'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, bkahGwRPJAf3nl0OqmU.cs High entropy of concatenated method names: 'HAYmBGFMYH', 'XO5N5DFr2Fqt4s0r0ycv', 'Ol6lvsFrZG1sZiG014QH', 'FIgZSoFrMioK1grwhG4n', 'aI3NK0FrJnLnpZRrLgfN', 'G1nUnmFrIKZ1D0lExB6p', 'r3oVtrFr9ambCeqH2A5e', 'BOPCTbFrwPIjq0qgX7ux', 'wOsmC209Tv', 'KBpmRBsoBU'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, IoVxrLKIFt7fXiO2BQQ.cs High entropy of concatenated method names: 'pmrK2il4gs', 'gSdKZSDsFF', 'QCKKMqYve5', 'luNFpGFnuVtV3fMpxIwH', 'i8U2UgFnP3Ue9Zwgj2EN', 'otUKkNFnAvIMyrKiTy8u', 'IqYbOPFnIiV1nHGZtuIE', 'EXQ1aVFn906W0jndHo3g', 'jLhL0uFn2wcB02PiE8hN'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, FspQ6oESkE0N7J4rQfO.cs High entropy of concatenated method names: 'fLyE3KjXoR', 'xJ2qfdFHzVBO3jWYApYU', 'pDYm0dFnCo6kBTtdSk58', 'i262DsFnFnrY46GSe6i7', 'vIWghQFnRgkcDbMQ86Ni'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, bk5JwiIkDZSiBcrm3L1.cs High entropy of concatenated method names: 'TCJFtKDL6TX', 'whcFq6ugZ2a', 'yQ8', 'K9m', 'GpJCvaF2VZ7hYOsm3c3F', 'R5IpdCF2gd1kf7gkCo1Q', 'k92AaiF2rP5PihDBDRxt', 'r8VX40F2NWMFrJvAnEkt'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, f4FS5rfyCG0BE2ExRgC.cs High entropy of concatenated method names: 'l29', 'P9X', 'vmethod_0', 'cmJFWxfZlfA', 'l29favHWCB', 'imethod_0', 'LyvNDcFbd1sWI3BZr3S7', 'PLTjCOFbTCxaDN2wayGf', 'v2DWR1FbcEmN68S7rkSd', 'P91k7gFbDgnEjwbFuvZY'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, IaFqGvr7qoMTj0vWCqI.cs High entropy of concatenated method names: 'WEqr81yMT2', 'MberGBn6FH', 'EBhrP5wk1s', 'Wb9TnuFs6RSRD0gmCNQs', 'ogb7X9FsXdiRreInpLBb', 'ML6jjqFsobJo2f4AbAYV', 'bf1xd7FsjMMRvHFKuxcZ', 'yUO1gcFsEIc2F7yFZS4e', 'PyIi9bFsKcWYv1nI1GO1', 'glmJ33Fsk0sIH8tDWghC'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, f4FUZyVtnmNWPJZGv5K.cs High entropy of concatenated method names: 'UcXVly93bv', 'H9lVxYGhTh', 'sY6V4LBiCD', 'SenugbFsGbC9KyyeaouX', 'YCJJVIFsPnsF0jOHMq9P', 'GxOZRsFsAr2dLk2YsHRP', 'EmqKrAFsu4mRgaIpNtA5', 'nmIq0lFsIAWK39FscZti', 'jFNs1dFs9D4okfqOAevN'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, oWMIeSVbARowYyO8CCL.cs High entropy of concatenated method names: 'DB4', 'method_0', 'method_1', 'method_2', 'method_3', 'method_4', 'method_5', 'A47', 'fC4', 'aK3'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, nimHOhqDR0XehhUMn1D.cs High entropy of concatenated method names: 'boMq2PFf1o', 'seaqZ90N2d', 'uL2qMecyHO', 'lJgIjuFewM9QScMDVjcM', 'vL9tX6FezCKspq19XrX5', 'OOHi4rFeMqpxMT6iyupS', 'yursa8FeJU5QxyrJSe3N', 'SYVqHfxkbm', 'wSsqnq2Os5', 'IgRq7b7OWI'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, d4DDcFB1YaeS5ymMq2O.cs High entropy of concatenated method names: 'ni7BxbmRSE', 'FFmB45wUFG', 'J3m6roFSYPLTdis0kOaM', 'EBBv1vFSxfTFMsDElaIf', 'R1dY4ZFS4DrWxUQ38v7a', 's7MPgCFS01jYQMaaAlAe', 'pMQsGOFSUDBibYsZrEWj', 'HL5J86FShawcDXC0uCMh', 'eZNMCXFSvYXF5e6yItGV', 'dWCE7CFSQluYbZ0rSt1r'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, B7swkY5d24qgw4JNMTX.cs High entropy of concatenated method names: 'iQd57yhWUd', 'PiW5sMLOcS', 'NZy584U091', 'X4auF2FctCnlo7GQwIT9', 'sCq3UMFc1AWEPgvuKqH7', 'c0up9uFcqjm5SMNYMK3H', 'ojNgaJFcBfnU0tvZdsRt', 'OGG5copb4i', 'Yju5DJgMC4', 'RfY5Oyq7sU'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, qsb7IV6F2wSBjePpK4D.cs High entropy of concatenated method names: 'rC9', 'method_0', 'gD1Ft5oX5Jg', 'MmxFtic2k7s', 'qwDP7SFDVE78WIihpT4v', 'N46MTHFDNtLnpIFmSUXs', 'tjfpIMFDbRfGw9ivExQA', 'J4kruxFDeX63OHadpheu', 'xIm8LXFDSJt86TayxHfM', 'bReQaLFDyGev0q6i6qOC'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, FBDnIjkxxqDhtGVx6Kr.cs High entropy of concatenated method names: 'nLNkYVBg1T', 'JuJk0AaSsV', 'rMlkUvxIhZ', 'eVskh86UI4', 'hEBkvkyEEo', 'O5QWyWFnw6BZIHYR1HAr', 'DEyfcuFnMaKrV4plHFGc', 'kq6xYBFnJM23ETZs5sje', 'EFJ3E8Fnz8igK6aHnWQW', 'X4263QF7COBi7Zlq8R2a'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, EdHrs5Riu05jhthKn9l.cs High entropy of concatenated method names: 'tHkRXqKx3Z', 'gXyRoq6276', 'yNTJJVFrX7fRvnnl88ru', 'V9AI9yFrivlevqDg23pP', 'PAskerFr6dJw3iKElp5I', 'U8xKS3FrobHkrwwfg7iF', 'R3fVEdFrjlUNHFtxiUsI', 'zqn3BsFrEQ1ovdiGNKCI', 'iOO8TxFrKhvbiqWswitP', 'VeUwH0FrkdnM3Z29N9vA'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, h0h4vuruufbah7wPSfo.cs High entropy of concatenated method names: 'K0Hr9Sk9AD', 'q3rr2abS8J', 'wJGrZ3GVkQ', 'prDrM3r0nb', 'wdvrJDVBiC', 'KFuts5FsVBiSk3QU7r2L', 'F5mAYAFsNJB3PahIeOHf', 'pJv2cIFsbN1MPwkbdlxh', 'blH2U7FseQVNMRErdy59', 'yfdKaoFsST8jq2J8s868'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, oQXbyMf1LcX9TnWRQFc.cs High entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'aTiFtfNqhuQ', 'tppFWFnnMPA', 'udv1OPFbUxWpPT9p81nI', 'OLduAyFbhkt949WfEMwt', 'PD0gdGFbvmj3HwfQVDE8', 'iOvSaWFbQO62XpLDWCol'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, hJrPErXYRO7mn0ciTTb.cs High entropy of concatenated method names: 'q5OjFL0h3k', 'FGZD2YFHh9a4WaDTOjNs', 'Q929sFFH0uEYQYdM8hCr', 'YEQs6jFHUeauAusAP7IN', 'yow53ZFHv90aqs9WigdM', 'wVoXU5XNl1', 'VXGXhFvij6', 'L2YXvJT7d2', 'PbKXQwNcbS', 'VNMXpQVnXI'
Source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, JvN7QYQTR4ll9U8FD3.cs High entropy of concatenated method names: 'MFfyxWVf5', 'oyyljwFkVg6DhPIw7fpj', 'fwC10vFkNRRJt2dKPUtT', 'INnm5YFkbPsaOla3rHXu', 'Eoh5E4F4i', 'poFiHqPmo', 'JUm6CYrrc', 'iDRXS1p1P', 'k3doM7ZY0', 'XA0jEvTmW'

Persistence and Installation Behavior
barindex
Creates processes via WMI
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Drops executable to a common third party application directory
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe File written: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe Jump to behavior
Infects executable files (exe, dll, sys, html)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe System file written: C:\Windows\System32\SecurityHealthSystray.exe Jump to behavior
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Windows\System32\SecurityHealthSystray.exe Jump to dropped file
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe File created: C:\fontrefcrt\WmiPrvSE.exe Jump to dropped file
Source: C:\Users\user\Desktop\yX8787W7de.exe File created: C:\fontrefcrt\MsintoRefcommonsvc.exe Jump to dropped file
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe File created: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Jump to dropped file
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe File created: C:\Users\user\Desktop\wNZUMzpS.log Jump to dropped file
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe File created: C:\Recovery\SystemSettings.exe Jump to dropped file
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe File created: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Jump to dropped file
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe File created: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe Jump to dropped file
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe File created: C:\Users\user\Desktop\iJCvyQAH.log Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Windows\System32\SecurityHealthSystray.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe File created: C:\Users\user\Desktop\iJCvyQAH.log Jump to dropped file
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe File created: C:\Users\user\Desktop\wNZUMzpS.log Jump to dropped file

Boot Survival
barindex
Creates an undocumented autostart registry key
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Creates autostart registry keys with suspicious values (likely registry only malware)
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhost "C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe" Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhost "C:\Program Files (x86)\windowspowershell\Configuration\Schema\conhost.exe" Jump to behavior
Creates multiple autostart registry keys
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSE Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MsintoRefcommonsvc Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemSettings Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SwjJGfgwqbpLdPqvPFcqLsY Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhost Jump to behavior
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SystemSettingsS" /sc MINUTE /mo 6 /tr "'C:\Recovery\SystemSettings.exe'" /f
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemSettings Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemSettings Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SwjJGfgwqbpLdPqvPFcqLsY Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SwjJGfgwqbpLdPqvPFcqLsY Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhost Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhost Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhost Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run conhost Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSE Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSE Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSE Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WmiPrvSE Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MsintoRefcommonsvc Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MsintoRefcommonsvc Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MsintoRefcommonsvc Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MsintoRefcommonsvc Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SwjJGfgwqbpLdPqvPFcqLsY Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SwjJGfgwqbpLdPqvPFcqLsY Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SwjJGfgwqbpLdPqvPFcqLsY Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SwjJGfgwqbpLdPqvPFcqLsY Jump to behavior
Source: C:\Users\user\Desktop\yX8787W7de.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Uses ping.exe to sleep
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Memory allocated: 1380000 memory reserve | memory write watch Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Memory allocated: 1B090000 memory reserve | memory write watch Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Memory allocated: 3190000 memory reserve | memory write watch
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Memory allocated: 1B3C0000 memory reserve | memory write watch
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Memory allocated: E60000 memory reserve | memory write watch
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Memory allocated: 1A9F0000 memory reserve | memory write watch
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Memory allocated: 1200000 memory reserve | memory write watch
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Memory allocated: 1B040000 memory reserve | memory write watch
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Memory allocated: 1340000 memory reserve | memory write watch
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Memory allocated: 1AD80000 memory reserve | memory write watch
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Memory allocated: 1070000 memory reserve | memory write watch
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Memory allocated: 1AAF0000 memory reserve | memory write watch
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Memory allocated: 1060000 memory reserve | memory write watch
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Memory allocated: 1AD00000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Thread delayed: delay time: 922337203685477
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Thread delayed: delay time: 922337203685477
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Thread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exe Jump to dropped file
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Dropped PE file which has not been started: C:\Users\user\Desktop\wNZUMzpS.log Jump to dropped file
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Dropped PE file which has not been started: C:\Users\user\Desktop\iJCvyQAH.log Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\yX8787W7de.exe Evasive API call chain: GetLocalTime,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe TID: 2260 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe TID: 7564 Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe TID: 7220 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe TID: 7236 Thread sleep time: -922337203685477s >= -30000s
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe TID: 7276 Thread sleep time: -922337203685477s >= -30000s
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe TID: 7336 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe TID: 7300 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe TID: 7328 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe File Volume queried: C:\ FullSizeInformation
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe File Volume queried: C:\ FullSizeInformation
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_0012A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 0_2_0012A69B
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_0013C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 0_2_0013C220
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_0013E6A3 VirtualQuery,GetSystemInfo, 0_2_0013E6A3
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Thread delayed: delay time: 922337203685477
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Thread delayed: delay time: 922337203685477
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Thread delayed: delay time: 922337203685477
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Thread delayed: delay time: 922337203685477
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe File opened: C:\Users\user Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: MsintoRefcommonsvc.exe, 00000005.00000002.1892406143.000000001C14A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: War&Prod_VMware_
Source: yX8787W7de.exe, SystemSettings.exe.5.dr, WmiPrvSE.exe.5.dr, SwjJGfgwqbpLdPqvPFcqLsY.exe0.5.dr, conhost.exe.5.dr, SwjJGfgwqbpLdPqvPFcqLsY.exe.5.dr, MsintoRefcommonsvc.exe.0.dr Binary or memory string: urUHhGFSlChjFdqZFYX2
Source: conhost.exe, 0000001F.00000002.1998443695.000000001BE07000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: MsintoRefcommonsvc.exe, 00000005.00000002.1892478620.000000001C164000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: yX8787W7de.exe, 00000000.00000003.1643587874.00000000027D4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: wscript.exe, 00000001.00000002.1848830925.0000000002D8E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\$d5G
Source: conhost.exe, 0000001F.00000002.1998443695.000000001BD50000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 0000002E.00000002.2035065695.000002D1A88E9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\yX8787W7de.exe API call chain: ExitProcess graph end node
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_0013F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0013F838
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_00147DEE mov eax, dword ptr fs:[00000030h] 0_2_00147DEE
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_0014C030 GetProcessHeap, 0_2_0014C030
Enables debug privileges
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process token adjusted: Debug
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process token adjusted: Debug
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process token adjusted: Debug
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process token adjusted: Debug
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process token adjusted: Debug
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_0013F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0013F838
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_0013F9D5 SetUnhandledExceptionFilter, 0_2_0013F9D5
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_0013FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0013FBCA
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_00148EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00148EBD
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\yX8787W7de.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\fontrefcrt\JfSdr.vbe" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\fontrefcrt\YPm3Ri0zuGSw0d5cA9MOsCVgRsbtCEjXWkwqUVDQU6Ex.bat" " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\fontrefcrt\MsintoRefcommonsvc.exe "C:\fontrefcrt/MsintoRefcommonsvc.exe" Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i0e0ny4g\i0e0ny4g.cmdline" Jump to behavior
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\i0e0ny4g\i0e0ny4g.cmdline" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4FAE.tmp" "c:\Windows\System32\CSCE4B7E694399A43119EA8A93F1E7760F4.TMP" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping -n 10 localhost Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\s4Al4mMfKa.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_0013F654 cpuid 0_2_0013F654
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: GetLocaleInfoW,GetNumberFormatW, 0_2_0013AF0F
Queries the volume information (name, serial number etc) of a device
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Queries volume information: C:\fontrefcrt\MsintoRefcommonsvc.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Queries volume information: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe VolumeInformation
Source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe Queries volume information: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe VolumeInformation
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Queries volume information: C:\fontrefcrt\MsintoRefcommonsvc.exe VolumeInformation
Source: C:\fontrefcrt\MsintoRefcommonsvc.exe Queries volume information: C:\fontrefcrt\MsintoRefcommonsvc.exe VolumeInformation
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Queries volume information: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe VolumeInformation
Source: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe Queries volume information: C:\Recovery\SwjJGfgwqbpLdPqvPFcqLsY.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_0013DF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle, 0_2_0013DF1E
Source: C:\Users\user\Desktop\yX8787W7de.exe Code function: 0_2_0012B146 GetVersionExW, 0_2_0012B146
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected DCRat
Source: Yara match File source: 00000005.00000002.1889075277.00000000130A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MsintoRefcommonsvc.exe PID: 5340, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: conhost.exe PID: 7184, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SwjJGfgwqbpLdPqvPFcqLsY.exe PID: 7260, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: yX8787W7de.exe, type: SAMPLE
Source: Yara match File source: 5.0.MsintoRefcommonsvc.exe.9b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.yX8787W7de.exe.62616d2.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.yX8787W7de.exe.6b756d2.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.1640565455.0000000006B27000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1639922058.0000000006213000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.1847919566.00000000009B2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1641053706.0000000006B25000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\fontrefcrt\WmiPrvSE.exe, type: DROPPED
Source: Yara match File source: C:\Recovery\SystemSettings.exe, type: DROPPED
Source: Yara match File source: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe, type: DROPPED
Source: Yara match File source: C:\fontrefcrt\MsintoRefcommonsvc.exe, type: DROPPED
Source: Yara match File source: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe, type: DROPPED
Yara detected zgRAT
Source: Yara match File source: yX8787W7de.exe, type: SAMPLE
Source: Yara match File source: 5.0.MsintoRefcommonsvc.exe.9b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.yX8787W7de.exe.62616d2.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.yX8787W7de.exe.6b756d2.1.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\fontrefcrt\WmiPrvSE.exe, type: DROPPED
Source: Yara match File source: C:\Recovery\SystemSettings.exe, type: DROPPED
Source: Yara match File source: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe, type: DROPPED
Source: Yara match File source: C:\fontrefcrt\MsintoRefcommonsvc.exe, type: DROPPED
Source: Yara match File source: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected DCRat
Source: Yara match File source: 00000005.00000002.1889075277.00000000130A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MsintoRefcommonsvc.exe PID: 5340, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: conhost.exe PID: 7184, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SwjJGfgwqbpLdPqvPFcqLsY.exe PID: 7260, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: yX8787W7de.exe, type: SAMPLE
Source: Yara match File source: 5.0.MsintoRefcommonsvc.exe.9b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.yX8787W7de.exe.62616d2.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.yX8787W7de.exe.6b756d2.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.1640565455.0000000006B27000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1639922058.0000000006213000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.1847919566.00000000009B2000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1641053706.0000000006B25000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\fontrefcrt\WmiPrvSE.exe, type: DROPPED
Source: Yara match File source: C:\Recovery\SystemSettings.exe, type: DROPPED
Source: Yara match File source: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe, type: DROPPED
Source: Yara match File source: C:\fontrefcrt\MsintoRefcommonsvc.exe, type: DROPPED
Source: Yara match File source: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe, type: DROPPED
Yara detected zgRAT
Source: Yara match File source: yX8787W7de.exe, type: SAMPLE
Source: Yara match File source: 5.0.MsintoRefcommonsvc.exe.9b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.yX8787W7de.exe.62616d2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.yX8787W7de.exe.62616d2.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.yX8787W7de.exe.6b756d2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.yX8787W7de.exe.6b756d2.1.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\fontrefcrt\WmiPrvSE.exe, type: DROPPED
Source: Yara match File source: C:\Recovery\SystemSettings.exe, type: DROPPED
Source: Yara match File source: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\conhost.exe, type: DROPPED
Source: Yara match File source: C:\fontrefcrt\MsintoRefcommonsvc.exe, type: DROPPED
Source: Yara match File source: C:\Program Files\Internet Explorer\en-US\SwjJGfgwqbpLdPqvPFcqLsY.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1431967 Sample: yX8787W7de.exe Startdate: 26/04/2024 Architecture: WINDOWS Score: 100 83 taketa.top 2->83 89 Snort IDS alert for network traffic 2->89 91 Antivirus detection for dropped file 2->91 93 Antivirus / Scanner detection for submitted sample 2->93 95 12 other signatures 2->95 11 yX8787W7de.exe 3 6 2->11         started        14 conhost.exe 2->14         started        17 SwjJGfgwqbpLdPqvPFcqLsY.exe 2->17         started        20 5 other processes 2->20 signatures3 process4 dnsIp5 73 C:\fontrefcrt\MsintoRefcommonsvc.exe, PE32 11->73 dropped 75 C:\fontrefcrt\JfSdr.vbe, data 11->75 dropped 22 wscript.exe 1 11->22         started        85 taketa.top 104.21.16.102, 49736, 49738, 49739 CLOUDFLARENETUS United States 14->85 77 C:\Users\user\Desktop\wNZUMzpS.log, PE32 14->77 dropped 79 C:\Users\user\AppData\...\s4Al4mMfKa.bat, DOS 14->79 dropped 25 cmd.exe 14->25         started        87 Multi AV Scanner detection for dropped file 17->87 27 Conhost.exe 17->27         started        file6 signatures7 process8 signatures9 97 Windows Scripting host queries suspicious COM object (likely to drop second stage) 22->97 29 cmd.exe 1 22->29         started        31 conhost.exe 25->31         started        33 chcp.com 25->33         started        35 w32tm.exe 25->35         started        process10 process11 37 MsintoRefcommonsvc.exe 11 24 29->37         started        41 conhost.exe 29->41         started        file12 65 C:\fontrefcrt\WmiPrvSE.exe, PE32 37->65 dropped 67 C:\Users\user\Desktop\iJCvyQAH.log, PE32 37->67 dropped 69 C:\Recovery\SystemSettings.exe, PE32 37->69 dropped 71 5 other malicious files 37->71 dropped 99 Antivirus detection for dropped file 37->99 101 Multi AV Scanner detection for dropped file 37->101 103 Creates an undocumented autostart registry key 37->103 105 6 other signatures 37->105 43 cmd.exe 1 37->43         started        46 csc.exe 4 37->46         started        49 schtasks.exe 37->49         started        51 17 other processes 37->51 signatures13 process14 file15 107 Uses ping.exe to sleep 43->107 109 Uses ping.exe to check the status of other devices and networks 43->109 53 conhost.exe 43->53         started        55 chcp.com 43->55         started        57 PING.EXE 43->57         started        81 C:\Windows\...\SecurityHealthSystray.exe, PE32 46->81 dropped 111 Infects executable files (exe, dll, sys, html) 46->111 59 conhost.exe 46->59         started        61 cvtres.exe 1 46->61         started        63 Conhost.exe 49->63         started        signatures16 process17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.16.102
 taketa.top United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
taketa.top 104.21.16.102 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://taketa.top/JavascriptPollMultigeneratordatalife.php true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown