Edit tour

Windows Analysis Report
Celery.exe

Overview

General Information

Sample name:	Celery.exe
Analysis ID:	1432517
MD5:	42c32b8ee377ce3bcf36f51fb7bc93a8
SHA1:	819d0926c93704884a882967d820d6f753732d37
SHA256:	c91c0745dcd02dbffa34747dd26e85e3e124a62d0812c125b6bc67792b66c8dc
Tags:	exe
Infos:

Detection

PureLog Stealer, RedLine, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected zgRAT

Drops PE files with a suspicious file extension

Drops large PE files

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

File is packed with WinRar

Found dropped PE file which has not been started or loaded

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sigma detected: Execution of Suspicious File Type Extension

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Yara signature match

Classification

Process Tree

System is w10x64

Celery.exe (PID: 5608 cmdline: "C:\Users\user\Desktop\Celery.exe" MD5: 42C32B8EE377CE3BCF36F51FB7BC93A8)

Celery V3.exe (PID: 7012 cmdline: "C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe" MD5: 06E7DDAE83EEE00448A508F9BADAB598)

cmd.exe (PID: 5964 cmdline: "C:\Windows\System32\cmd.exe" /c move Earned Earned.cmd && Earned.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 3592 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 7036 cmdline: findstr /I "wrsa.exe opssvc.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 928 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 5500 cmdline: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7116 cmdline: cmd /c md 1101 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 1396 cmdline: findstr /V "CalculationsExpediaJumpExchanges" Application MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 6608 cmdline: cmd /c copy /b Trials + Explains + External + Fighting + Get + Rights 1101\z MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Spy.pif (PID: 6816 cmdline: 1101\Spy.pif 1101\z MD5: 6EE7DDEBFF0A2B78C7AC30F6E00D1D11)

RegAsm.exe (PID: 6120 cmdline: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13)

conhost.exe (PID: 2700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 1856 cmdline: ping -n 5 127.0.0.1 MD5: B3624DD758CCECF93A1226CEF252CA12)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000013.00000002.2851258914.0000000000542000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000013.00000002.2851258914.0000000000542000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
19.2.RegAsm.exe.540000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
19.2.RegAsm.exe.540000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
19.2.RegAsm.exe.540000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
19.2.RegAsm.exe.540000.0.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x510b3:$s1: file:/// 0x50feb:$s2: {11111-22222-10009-11112} 0x51043:$s3: {11111-22222-50001-00000} 0x4dbc1:$s4: get_Module 0x48dc7:$s5: Reverse 0x49660:$s6: BlockCopy 0x48daf:$s7: ReadByte 0x510c5:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

Sigma Signatures

System Summary

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe, ParentCommandLine: 1101\Spy.pif 1101\z, ParentImage: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif, ParentProcessId: 6816, ParentProcessName: Spy.pif, ProcessCommandLine: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe, ProcessId: 6120, ProcessName: RegAsm.exe

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: 1101\Spy.pif 1101\z, CommandLine: 1101\Spy.pif 1101\z, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif, NewProcessName: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif, OriginalFileName: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Earned Earned.cmd && Earned.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5964, ParentProcessName: cmd.exe, ProcessCommandLine: 1101\Spy.pif 1101\z, ProcessId: 6816, ProcessName: Spy.pif

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" , CommandLine: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Earned Earned.cmd && Earned.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5964, ParentProcessName: cmd.exe, ProcessCommandLine: findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe" , ProcessId: 5500, ProcessName: findstr.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe

Virustotal: Detection: 12%

Perma Link

Multi AV Scanner detection for submitted file

Source: Celery.exe

Virustotal: Detection: 15%

Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif

Joe Sandbox ML: detected

Source: Celery.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: RegAsm.pdb source: RegAsm.exe, 00000013.00000000.2570090970.0000000000462000.00000002.00000001.01000000.0000000C.sdmp, RegAsm.exe, 00000013.00000002.2864057648.00000000063A0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2861250304.0000000005139000.00000004.00000020.00020000.00000000.sdmp, tmpF16.tmp.19.dr, tmpCBE8.tmp.19.dr, tmpD3BD.tmp.19.dr, tmpFFAA.tmp.19.dr, tmpD58B.tmp.19.dr, tmpFB00.tmp.19.dr, tmpE0EE.tmp.19.dr, tmpE99F.tmp.19.dr, tmpEF8D.tmp.19.dr, tmpE48.tmp.19.dr, tmpD2FD.tmp.19.dr, tmpCA15.tmp.19.dr, tmpEF3A.tmp.19.dr, tmp6E7.tmp.19.dr, tmpDAF1.tmp.19.dr, tmp41B.tmp.19.dr, tmpE89B.tmp.19.dr, tmpD536.tmp.19.dr, tmpFAA9.tmp.19.dr, tmpF2A9.tmp.19.dr, tmpFAEF.tmp.19.dr, tmp4E6.tmp.19.dr, tmpC82C.tmp.19.dr, tmpDB24.tmp.19.dr, tmpCACF.tmp.19.dr, tmp3F9.tmp.19.dr, tmpC907.tmp.19.dr, tmpF3A9.tmp.19.dr, tmpEEAD.tmp.19.dr, tmp35B.tmp.19.dr, tmpE8BF.tmp.19.dr, tmp169.tmp.19.dr, tmpDFD9.tmp.19.dr, tmpED02.tmp.19.dr, tmpFF53.tmp.19.dr, tmpFEEF.tmp.19.dr, tmpEBAB.tmp.19.dr, tmpD39.tmp.19.dr, tmpC617.tmp.19.dr, tmpD17.tmp.19.dr, tmpD659.tmp.19.dr, tmp54F.tmp.19.dr, tmpCCE6.tmp.19.dr, tmp28B.tmp.19.dr, tmpCCC3.tmp.19.dr, tmpD743.tmp.19.dr, tmpCD3B.tmp.19.dr, tmp739.tmp.19.dr, tmpFF32.tmp.19.dr, tmpFA1C.tmp.19.dr, tmpC67D.tmp.19.dr, tmp681.tmp.19.dr, tmpF123.tmp.19.dr, tmpCB96.tmp.19.dr, tmp122.tmp.19.dr, tmpD79B.tmp.19.dr, tmp4C4.tmp.19.dr, tmp77E.tmp.19.dr, tmpE8D1.tmp.19.dr, tmpE779.tmp.19.dr, tmp247.tmp.19.dr, tmpFADE.tmp.19.dr, tmpE904.tmp.19.dr, tmpC8F6.tmp.19.dr, tmpF262.tmp.19.dr, tmpEF6C.tmp.19.dr, tmp3D5.tmp.19.dr, tmpE811.tmp.19.dr, tmpD435.tmp.19.dr, tmpC84E.tmp.19.dr, tmpDFD8.tmp.19.dr, tmpD412.tmp.19.dr, tmpC86F.tmp.19.dr, tmpFDA9.tmp.19.dr, tmpEC57.tmp.19.dr, tmpE95D.tmp.19.dr, tmpECAA.tmp.19.dr, tmp75A.tmp.19.dr, tmpE9E5.tmp.19.dr, tmpE171.tmp.19.dr, tmpD9AD.tmp.19.dr, tmpEC23.tmp.19.dr, tmp7F4.tmp.19.dr, tmp36D.tmp.19.dr, tmpC629.tmp.19.dr, tmpF962.tmp.19.dr, tmpBD3.tmp.19.dr, tmp3A0.tmp.19.dr, tmpF1EA.tmp.19.dr, tmp51A.tmp.19.dr, tmpEBBC.tmp.19.dr, tmpFF77.tmp.19.dr, tmp76C.tmp.19.dr, tmpD502.tmp.19.dr, tmpDDD0.tmp.19.dr, tmpFA2E.tmp.19.dr, tmpD389.tmp.19.dr, tmpD501.tmp.19.dr, tmpDE25.tmp.19.dr, tmpD5BF.tmp.19.dr, tmpD9CE.tmp.19.dr, tmpD402.tmp.19.dr, tmpEB34.tmp.19.dr, tmpE79D.tmp.19.dr, tmpC17.tmp.19.dr, tmpEC02.tmp.19.dr, tmpEE00.tmp.19.dr, tmpD767.tmp.19.dr, tmpD28.tmp.19.dr, tmpEB9A.tmp.19.dr, tmpD733.tmp.19.dr, tmpFBCB.tmp.19.dr, tmpEEBF.tmp.19.dr, tmpDF63.tmp.19.dr, tmp2D0.tmp.19.dr, tmpFEBB.tmp.19.dr, tmpFEEE.tmp.19.dr, tmpEAA5.tmp.19.dr, tmpF2EB.tmp.19.dr, tmpE9A0.tmp.19.dr, tmpF9FA.tmp.19.dr, tmpDD69.tmp.19.dr, tmpC9F2.tmp.19.dr, tmpF0B0.tmp.19.dr, tmpD90C.tmp.19.dr, tmp43D.tmp.19.dr, tmpC8D4.tmp.19.dr, tmp593.tmp.19.dr, tmpC07.tmp.19.dr, tmpF06.tmp.19.dr, tmp43.tmp.19.dr, tmpDADF.tmp.19.dr, tmpCA8B.tmp.19.dr, tmpCC3B.tmp.19.dr, tmp3E7.tmp.19.dr, tmpC918.tmp.19.dr
Source:	Binary string: Flash.pdb source: scripts.dll
Source:	Binary string: Flash.pdbx source: scripts.dll
Source:	Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000013.00000000.2570090970.0000000000462000.00000002.00000001.01000000.0000000C.sdmp, RegAsm.exe, 00000013.00000002.2864057648.00000000063A0000.00000004.00000020.00020000.00000000.sdmp, tmpF16.tmp.19.dr, tmpCBE8.tmp.19.dr, tmpD3BD.tmp.19.dr, tmpFFAA.tmp.19.dr, tmpD58B.tmp.19.dr, tmpFB00.tmp.19.dr, tmpE0EE.tmp.19.dr, tmpE99F.tmp.19.dr, tmpEF8D.tmp.19.dr, tmpE48.tmp.19.dr, tmpD2FD.tmp.19.dr, tmpCA15.tmp.19.dr, tmpEF3A.tmp.19.dr, tmp6E7.tmp.19.dr, tmpDAF1.tmp.19.dr, tmp41B.tmp.19.dr, tmpE89B.tmp.19.dr, tmpD536.tmp.19.dr, tmpFAA9.tmp.19.dr, tmpF2A9.tmp.19.dr, tmpFAEF.tmp.19.dr, tmp4E6.tmp.19.dr, tmpC82C.tmp.19.dr, tmpDB24.tmp.19.dr, tmpCACF.tmp.19.dr, tmp3F9.tmp.19.dr, tmpC907.tmp.19.dr, tmpF3A9.tmp.19.dr, tmpEEAD.tmp.19.dr, tmp35B.tmp.19.dr, tmpE8BF.tmp.19.dr, tmp169.tmp.19.dr, tmpDFD9.tmp.19.dr, tmpED02.tmp.19.dr, tmpFF53.tmp.19.dr, tmpFEEF.tmp.19.dr, tmpEBAB.tmp.19.dr, tmpD39.tmp.19.dr, tmpC617.tmp.19.dr, tmpD17.tmp.19.dr, tmpD659.tmp.19.dr, tmp54F.tmp.19.dr, tmpCCE6.tmp.19.dr, tmp28B.tmp.19.dr, tmpCCC3.tmp.19.dr, tmpD743.tmp.19.dr, tmpCD3B.tmp.19.dr, tmp739.tmp.19.dr, tmpFF32.tmp.19.dr, tmpFA1C.tmp.19.dr, tmpC67D.tmp.19.dr, tmp681.tmp.19.dr, tmpF123.tmp.19.dr, tmpCB96.tmp.19.dr, tmp122.tmp.19.dr, tmpD79B.tmp.19.dr, tmp4C4.tmp.19.dr, tmp77E.tmp.19.dr, tmpE8D1.tmp.19.dr, tmpE779.tmp.19.dr, tmp247.tmp.19.dr, tmpFADE.tmp.19.dr, tmpE904.tmp.19.dr, tmpC8F6.tmp.19.dr, tmpF262.tmp.19.dr, tmpEF6C.tmp.19.dr, tmp3D5.tmp.19.dr, tmpE811.tmp.19.dr, tmpD435.tmp.19.dr, tmpC84E.tmp.19.dr, tmpDFD8.tmp.19.dr, tmpD412.tmp.19.dr, tmpC86F.tmp.19.dr, tmpFDA9.tmp.19.dr, tmpEC57.tmp.19.dr, tmpE95D.tmp.19.dr, tmpECAA.tmp.19.dr, tmp75A.tmp.19.dr, tmpE9E5.tmp.19.dr, tmpE171.tmp.19.dr, tmpD9AD.tmp.19.dr, tmpEC23.tmp.19.dr, tmp7F4.tmp.19.dr, tmp36D.tmp.19.dr, tmpC629.tmp.19.dr, tmpF962.tmp.19.dr, tmpBD3.tmp.19.dr, tmp3A0.tmp.19.dr, tmpF1EA.tmp.19.dr, tmp51A.tmp.19.dr, tmpEBBC.tmp.19.dr, tmpFF77.tmp.19.dr, tmp76C.tmp.19.dr, tmpD502.tmp.19.dr, tmpDDD0.tmp.19.dr, tmpFA2E.tmp.19.dr, tmpD389.tmp.19.dr, tmpD501.tmp.19.dr, tmpDE25.tmp.19.dr, tmpD5BF.tmp.19.dr, tmpD9CE.tmp.19.dr, tmpD402.tmp.19.dr, tmpEB34.tmp.19.dr, tmpE79D.tmp.19.dr, tmpC17.tmp.19.dr, tmpEC02.tmp.19.dr, tmpEE00.tmp.19.dr, tmpD767.tmp.19.dr, tmpD28.tmp.19.dr, tmpEB9A.tmp.19.dr, tmpD733.tmp.19.dr, tmpFBCB.tmp.19.dr, tmpEEBF.tmp.19.dr, tmpDF63.tmp.19.dr, tmp2D0.tmp.19.dr, tmpFEBB.tmp.19.dr, tmpFEEE.tmp.19.dr, tmpEAA5.tmp.19.dr, tmpF2EB.tmp.19.dr, tmpE9A0.tmp.19.dr, tmpF9FA.tmp.19.dr, tmpDD69.tmp.19.dr, tmpC9F2.tmp.19.dr, tmpF0B0.tmp.19.dr, tmpD90C.tmp.19.dr, tmp43D.tmp.19.dr, tmpC8D4.tmp.19.dr, tmp593.tmp.19.dr, tmpC07.tmp.19.dr, tmpF06.tmp.19.dr, tmp43.tmp.19.dr, tmpDADF.tmp.19.dr, tmpCA8B.tmp.19.dr, tmpCC3B.tmp.19.dr, tmp3E7.tmp.19.dr, tmpC918.tmp.19.dr
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxzip64\Release\sfxzip.pdb source: Celery.exe
Source:	Binary string: RegAsm.pdbI source: RegAsm.exe, 00000013.00000002.2861250304.0000000005139000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Celery.exe	Code function: 0_2_00007FF6DB5AECA0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF6DB5AECA0
Source: C:\Users\user\Desktop\Celery.exe	Code function: 0_2_00007FF6DB59647C FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF6DB59647C
Source: C:\Users\user\Desktop\Celery.exe	Code function: 0_2_00007FF6DB5C30F0 FindFirstFileExA,	0_2_00007FF6DB5C30F0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Code function: 1_2_0040683D FindFirstFileW,FindClose,	1_2_0040683D
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Code function: 1_2_0040290B FindFirstFileW,	1_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Code function: 1_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405C13

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1

Source: unknown

DNS traffic detected: query: jVkuFBkAgxQTjEleejFjuecf.jVkuFBkAgxQTjEleejFjuecf replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: RegAsm.exe, 00000013.00000002.2854794727.00000000028B8000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: $^q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@|- equals www.youtube.com (Youtube)

Source: global traffic

DNS traffic detected: DNS query: jVkuFBkAgxQTjEleejFjuecf.jVkuFBkAgxQTjEleejFjuecf

Source: scripts.dll	String found in binary or memory: http://%shttp://a.SharedObject.BadPersistenceSharedObject.UriMismatchpendingReserved
Source: scripts.dll	String found in binary or memory: http://ad./adserver/e?type=playererrorhttp://ad.auditude.com/adserver/e?type=playererror//_.dashmpd&
Source: scripts.dll	String found in binary or memory: http://ad./adserver?tm=15&u=&u=&l=&z=&of=1.4&g=Auditude
Source: scripts.dll	String found in binary or memory: http://ad.auditude.com/adserver/e?type=playererror
Source: scripts.dll	String found in binary or memory: http://cdn2.auditude.com/assets/3p/v
Source: scripts.dll	String found in binary or memory: http://cdn2.auditude.com/assets/3p/vService
Source: Celery V3.exe	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Celery V3.exe	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: Riders	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Riders	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Celery V3.exe	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: Celery V3.exe	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Riders	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Celery V3.exe	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Celery V3.exe	String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: Riders	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: scripts.dll	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: scripts.dll	String found in binary or memory: http://dashif.org/guidelines/trickmode
Source: scripts.dll	String found in binary or memory: http://dashif.org/guidelines/trickmode1
Source: celeryuwp.bin	String found in binary or memory: http://docs.rackspacecloud.com/servers/api/v1.0
Source: RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: scripts.dll	String found in binary or memory: http://fpdownload2.macromedia.com/get/
Source: scripts.dll	String found in binary or memory: http://fpdownload2.macromedia.com/get/flashplayer/update/current/xml/express/version_win_
Source: scripts.dll	String found in binary or memory: http://fpdownload2.macromedia.com/get/flashplayer/update/current/xml/version_
Source: scripts.dll	String found in binary or memory: http://fpdownload2.macromedia.com/get/https://fpdownload.macromedia.com/get/https://www.macromedia.c
Source: Celery V3.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Celery V3.exe	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Celery V3.exe	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: Celery V3.exe	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: Celery V3.exe	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: Celery V3.exe	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: scripts.dll	String found in binary or memory: http://ocsp.thawte.com0
Source: Riders	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Riders	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Celery V3.exe, Riders	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Celery V3.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: scripts.dll	String found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: scripts.dll	String found in binary or memory: http://s.symcd.com0_
Source: scripts.dll	String found in binary or memory: http://s3.amazonaws.com/venkat-test/ads/camry/file-640k.m3u8
Source: scripts.dll	String found in binary or memory: http://s3.amazonaws.com/venkat-test/ads/camry/file-640k.m3u82L
Source: scripts.dll	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: Celery V3.exe	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: Riders	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Celery V3.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: Riders	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: Celery V3.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Celery V3.exe	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: scripts.dll	String found in binary or memory: http://sw.symcb.com/sw.crl0
Source: scripts.dll	String found in binary or memory: http://sw.symcd.com0
Source: scripts.dll	String found in binary or memory: http://sw1.symcb.com/sw.crt0
Source: scripts.dll	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: scripts.dll	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: scripts.dll	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Sp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: scripts.dll	String found in binary or memory: http://www.macromedia.com
Source: scripts.dll	String found in binary or memory: http://www.macromedia.com/go/player_settings_
Source: scripts.dll	String found in binary or memory: http://www.macromedia.com/go/player_settings_.Unmuted.MutedCamera.UnmutedCamera.MutedMicrophone.Unmu
Source: scripts.dll	String found in binary or memory: http://www.macromedia.comhttps://www.macromedia.com/support/flashplayer/sys/&amp
Source: scripts.dll	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: scripts.dll	String found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: RegAsm.exe, 00000013.00000002.2854794727.00000000028B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: scripts.dll	String found in binary or memory: https://auth.adobefpl.com/1/
Source: scripts.dll	String found in binary or memory: https://d.symcb.com/cps0%
Source: scripts.dll	String found in binary or memory: https://d.symcb.com/rpa0
Source: scripts.dll	String found in binary or memory: https://d.symcb.com/rpa0)
Source: RegAsm.exe, 00000013.00000002.2854794727.00000000028B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: scripts.dll	String found in binary or memory: https://fpdownload.macromedia.com/get/
Source: scripts.dll	String found in binary or memory: https://primetimeenablement.sc.omtrdc.net/b/ss//6
Source: scripts.dll	String found in binary or memory: https://primetimeenablement.sc.omtrdc.net/b/ss//6primesample2
Source: celeryuwp.bin	String found in binary or memory: https://raw.githubusercontent.com/TheSeaweedMonster/Luau/main/decompile.lua
Source: celeryuwp.bin	String found in binary or memory: https://raw.githubusercontent.com/TheSeaweedMonster/Luau/main/saveinstance.lua
Source: Riders	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Riders	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Riders	String found in binary or memory: https://www.globalsign.com/repository/06
Source: scripts.dll	String found in binary or memory: https://www.macromedia.com/bin/flashdownload.cgi
Source: scripts.dll	String found in binary or memory: https://www.macromedia.com/support/flashplayer/sys/

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe

Code function: 1_2_004056A8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_004056A8

Source: scripts.dll

Binary or memory string: DirectInput8Create

memstr_80216dde-1

System Summary

Malicious sample detected (through community Yara rule)

Source: 19.2.RegAsm.exe.540000.0.unpack, type: UNPACKEDPE

Matched rule: Detects zgRAT Author: ditekSHen

Drops large PE files

Source: C:\Users\user\Desktop\Celery.exe

File dump: Celery V3.exe.0.dr 157301232

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe

Code function: 1_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

1_2_004034F7

Source: C:\Users\user\Desktop\Celery.exe	Code function: 0_2_00007FF6DB5AECA0	0_2_00007FF6DB5AECA0
Source: C:\Users\user\Desktop\Celery.exe	Code function: 0_2_00007FF6DB59DC08	0_2_00007FF6DB59DC08
Source: C:\Users\user\Desktop\Celery.exe	Code function: 0_2_00007FF6DB5A6250	0_2_00007FF6DB5A6250
Source: C:\Users\user\Desktop\Celery.exe	Code function: 0_2_00007FF6DB5B0998	0_2_00007FF6DB5B0998
Source: C:\Users\user\Desktop\Celery.exe	Code function: 0_2_00007FF6DB59A8AC	0_2_00007FF6DB59A8AC
Source: C:\Users\user\Desktop\Celery.exe	Code function: 0_2_00007FF6DB5B3FCC	0_2_00007FF6DB5B3FCC
Source: C:\Users\user\Desktop\Celery.exe	Code function: 0_2_00007FF6DB5A5658	0_2_00007FF6DB5A5658
Source: C:\Users\user\Desktop\Celery.exe	Code function: 0_2_00007FF6DB5BFCD8	0_2_00007FF6DB5BFCD8
Source: C:\Users\user\Desktop\Celery.exe	Code function: 0_2_00007FF6DB5C54D0	0_2_00007FF6DB5C54D0
Source: C:\Users\user\Desktop\Celery.exe	Code function: 0_2_00007FF6DB5972AC	0_2_00007FF6DB5972AC
Source: C:\Users\user\Desktop\Celery.exe	Code function: 0_2_00007FF6DB59B314	0_2_00007FF6DB59B314
Source: C:\Users\user\Desktop\Celery.exe	Code function: 0_2_00007FF6DB5C59A0	0_2_00007FF6DB5C59A0
Source: C:\Users\user\Desktop\Celery.exe	Code function: 0_2_00007FF6DB59B944	0_2_00007FF6DB59B944
Source: C:\Users\user\Desktop\Celery.exe	Code function: 0_2_00007FF6DB5B3FCC	0_2_00007FF6DB5B3FCC
Source: C:\Users\user\Desktop\Celery.exe	Code function: 0_2_00007FF6DB5AC9F0	0_2_00007FF6DB5AC9F0
Source: C:\Users\user\Desktop\Celery.exe	Code function: 0_2_00007FF6DB59E8D8	0_2_00007FF6DB59E8D8
Source: C:\Users\user\Desktop\Celery.exe	Code function: 0_2_00007FF6DB5BC034	0_2_00007FF6DB5BC034
Source: C:\Users\user\Desktop\Celery.exe	Code function: 0_2_00007FF6DB5C8FC8	0_2_00007FF6DB5C8FC8
Source: C:\Users\user\Desktop\Celery.exe	Code function: 0_2_00007FF6DB59BF08	0_2_00007FF6DB59BF08
Source: C:\Users\user\Desktop\Celery.exe	Code function: 0_2_00007FF6DB5C2EE4	0_2_00007FF6DB5C2EE4
Source: C:\Users\user\Desktop\Celery.exe	Code function: 0_2_00007FF6DB5BBDB8	0_2_00007FF6DB5BBDB8
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Code function: 1_2_00406BFE	1_2_00406BFE
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Code function: 19_2_026B0868	19_2_026B0868
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Code function: 19_2_026B0878	19_2_026B0878
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Code function: 19_2_026B4DC0	19_2_026B4DC0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Code function: 19_2_026B4DD0	19_2_026B4DD0

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif 865347471135BB5459AD0E647E75A14AD91424B6F13A5C05D9ECD9183A8A1CF4

Source: 19.2.RegAsm.exe.540000.0.unpack, type: UNPACKEDPE

Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: classification engine

Classification label: mal100.troj.evad.winEXE@27/1065@1/1

Source: C:\Users\user\Desktop\Celery.exe

Code function: 0_2_00007FF6DB593BF8 GetLastError,FormatMessageW,LocalFree,

0_2_00007FF6DB593BF8

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe

1_2_004034F7

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe

Code function: 1_2_00404954 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

1_2_00404954

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe

Code function: 1_2_004021AA CoCreateInstance,

1_2_004021AA

Source: C:\Users\user\Desktop\Celery.exe

Code function: 0_2_00007FF6DB5AC220 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00007FF6DB5AC220

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Application

Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5436:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2700:120:WilError_03

Source: C:\Users\user\Desktop\Celery.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0

Jump to behavior

Source: Celery.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\Celery.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\Celery.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Celery.exe

Virustotal: Detection: 15%

Source: C:\Users\user\Desktop\Celery.exe

File read: C:\Users\user\Desktop\Celery.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Celery.exe "C:\Users\user\Desktop\Celery.exe"
Source: C:\Users\user\Desktop\Celery.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe"
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Earned Earned.cmd && Earned.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 1101
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "CalculationsExpediaJumpExchanges" Application
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Trials + Explains + External + Fighting + Get + Rights 1101\z
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif 1101\Spy.pif 1101\z
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Celery.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Earned Earned.cmd && Earned.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 1101	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "CalculationsExpediaJumpExchanges" Application	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Trials + Explains + External + Fighting + Get + Rights 1101\z	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif 1101\Spy.pif 1101\z	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Jump to behavior

Source: C:\Users\user\Desktop\Celery.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Celery.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Users\user\Desktop\Celery.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Celery.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Celery.exe

Static file information: File size 13919256 > 1048576

Source: Celery.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Celery.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Celery.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Celery.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Celery.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Celery.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Celery.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: Celery.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: RegAsm.pdb source: RegAsm.exe, 00000013.00000000.2570090970.0000000000462000.00000002.00000001.01000000.0000000C.sdmp, RegAsm.exe, 00000013.00000002.2864057648.00000000063A0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.2861250304.0000000005139000.00000004.00000020.00020000.00000000.sdmp, tmpF16.tmp.19.dr, tmpCBE8.tmp.19.dr, tmpD3BD.tmp.19.dr, tmpFFAA.tmp.19.dr, tmpD58B.tmp.19.dr, tmpFB00.tmp.19.dr, tmpE0EE.tmp.19.dr, tmpE99F.tmp.19.dr, tmpEF8D.tmp.19.dr, tmpE48.tmp.19.dr, tmpD2FD.tmp.19.dr, tmpCA15.tmp.19.dr, tmpEF3A.tmp.19.dr, tmp6E7.tmp.19.dr, tmpDAF1.tmp.19.dr, tmp41B.tmp.19.dr, tmpE89B.tmp.19.dr, tmpD536.tmp.19.dr, tmpFAA9.tmp.19.dr, tmpF2A9.tmp.19.dr, tmpFAEF.tmp.19.dr, tmp4E6.tmp.19.dr, tmpC82C.tmp.19.dr, tmpDB24.tmp.19.dr, tmpCACF.tmp.19.dr, tmp3F9.tmp.19.dr, tmpC907.tmp.19.dr, tmpF3A9.tmp.19.dr, tmpEEAD.tmp.19.dr, tmp35B.tmp.19.dr, tmpE8BF.tmp.19.dr, tmp169.tmp.19.dr, tmpDFD9.tmp.19.dr, tmpED02.tmp.19.dr, tmpFF53.tmp.19.dr, tmpFEEF.tmp.19.dr, tmpEBAB.tmp.19.dr, tmpD39.tmp.19.dr, tmpC617.tmp.19.dr, tmpD17.tmp.19.dr, tmpD659.tmp.19.dr, tmp54F.tmp.19.dr, tmpCCE6.tmp.19.dr, tmp28B.tmp.19.dr, tmpCCC3.tmp.19.dr, tmpD743.tmp.19.dr, tmpCD3B.tmp.19.dr, tmp739.tmp.19.dr, tmpFF32.tmp.19.dr, tmpFA1C.tmp.19.dr, tmpC67D.tmp.19.dr, tmp681.tmp.19.dr, tmpF123.tmp.19.dr, tmpCB96.tmp.19.dr, tmp122.tmp.19.dr, tmpD79B.tmp.19.dr, tmp4C4.tmp.19.dr, tmp77E.tmp.19.dr, tmpE8D1.tmp.19.dr, tmpE779.tmp.19.dr, tmp247.tmp.19.dr, tmpFADE.tmp.19.dr, tmpE904.tmp.19.dr, tmpC8F6.tmp.19.dr, tmpF262.tmp.19.dr, tmpEF6C.tmp.19.dr, tmp3D5.tmp.19.dr, tmpE811.tmp.19.dr, tmpD435.tmp.19.dr, tmpC84E.tmp.19.dr, tmpDFD8.tmp.19.dr, tmpD412.tmp.19.dr, tmpC86F.tmp.19.dr, tmpFDA9.tmp.19.dr, tmpEC57.tmp.19.dr, tmpE95D.tmp.19.dr, tmpECAA.tmp.19.dr, tmp75A.tmp.19.dr, tmpE9E5.tmp.19.dr, tmpE171.tmp.19.dr, tmpD9AD.tmp.19.dr, tmpEC23.tmp.19.dr, tmp7F4.tmp.19.dr, tmp36D.tmp.19.dr, tmpC629.tmp.19.dr, tmpF962.tmp.19.dr, tmpBD3.tmp.19.dr, tmp3A0.tmp.19.dr, tmpF1EA.tmp.19.dr, tmp51A.tmp.19.dr, tmpEBBC.tmp.19.dr, tmpFF77.tmp.19.dr, tmp76C.tmp.19.dr, tmpD502.tmp.19.dr, tmpDDD0.tmp.19.dr, tmpFA2E.tmp.19.dr, tmpD389.tmp.19.dr, tmpD501.tmp.19.dr, tmpDE25.tmp.19.dr, tmpD5BF.tmp.19.dr, tmpD9CE.tmp.19.dr, tmpD402.tmp.19.dr, tmpEB34.tmp.19.dr, tmpE79D.tmp.19.dr, tmpC17.tmp.19.dr, tmpEC02.tmp.19.dr, tmpEE00.tmp.19.dr, tmpD767.tmp.19.dr, tmpD28.tmp.19.dr, tmpEB9A.tmp.19.dr, tmpD733.tmp.19.dr, tmpFBCB.tmp.19.dr, tmpEEBF.tmp.19.dr, tmpDF63.tmp.19.dr, tmp2D0.tmp.19.dr, tmpFEBB.tmp.19.dr, tmpFEEE.tmp.19.dr, tmpEAA5.tmp.19.dr, tmpF2EB.tmp.19.dr, tmpE9A0.tmp.19.dr, tmpF9FA.tmp.19.dr, tmpDD69.tmp.19.dr, tmpC9F2.tmp.19.dr, tmpF0B0.tmp.19.dr, tmpD90C.tmp.19.dr, tmp43D.tmp.19.dr, tmpC8D4.tmp.19.dr, tmp593.tmp.19.dr, tmpC07.tmp.19.dr, tmpF06.tmp.19.dr, tmp43.tmp.19.dr, tmpDADF.tmp.19.dr, tmpCA8B.tmp.19.dr, tmpCC3B.tmp.19.dr, tmp3E7.tmp.19.dr, tmpC918.tmp.19.dr
Source:	Binary string: Flash.pdb source: scripts.dll
Source:	Binary string: Flash.pdbx source: scripts.dll
Source:	Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000013.00000000.2570090970.0000000000462000.00000002.00000001.01000000.0000000C.sdmp, RegAsm.exe, 00000013.00000002.2864057648.00000000063A0000.00000004.00000020.00020000.00000000.sdmp, tmpF16.tmp.19.dr, tmpCBE8.tmp.19.dr, tmpD3BD.tmp.19.dr, tmpFFAA.tmp.19.dr, tmpD58B.tmp.19.dr, tmpFB00.tmp.19.dr, tmpE0EE.tmp.19.dr, tmpE99F.tmp.19.dr, tmpEF8D.tmp.19.dr, tmpE48.tmp.19.dr, tmpD2FD.tmp.19.dr, tmpCA15.tmp.19.dr, tmpEF3A.tmp.19.dr, tmp6E7.tmp.19.dr, tmpDAF1.tmp.19.dr, tmp41B.tmp.19.dr, tmpE89B.tmp.19.dr, tmpD536.tmp.19.dr, tmpFAA9.tmp.19.dr, tmpF2A9.tmp.19.dr, tmpFAEF.tmp.19.dr, tmp4E6.tmp.19.dr, tmpC82C.tmp.19.dr, tmpDB24.tmp.19.dr, tmpCACF.tmp.19.dr, tmp3F9.tmp.19.dr, tmpC907.tmp.19.dr, tmpF3A9.tmp.19.dr, tmpEEAD.tmp.19.dr, tmp35B.tmp.19.dr, tmpE8BF.tmp.19.dr, tmp169.tmp.19.dr, tmpDFD9.tmp.19.dr, tmpED02.tmp.19.dr, tmpFF53.tmp.19.dr, tmpFEEF.tmp.19.dr, tmpEBAB.tmp.19.dr, tmpD39.tmp.19.dr, tmpC617.tmp.19.dr, tmpD17.tmp.19.dr, tmpD659.tmp.19.dr, tmp54F.tmp.19.dr, tmpCCE6.tmp.19.dr, tmp28B.tmp.19.dr, tmpCCC3.tmp.19.dr, tmpD743.tmp.19.dr, tmpCD3B.tmp.19.dr, tmp739.tmp.19.dr, tmpFF32.tmp.19.dr, tmpFA1C.tmp.19.dr, tmpC67D.tmp.19.dr, tmp681.tmp.19.dr, tmpF123.tmp.19.dr, tmpCB96.tmp.19.dr, tmp122.tmp.19.dr, tmpD79B.tmp.19.dr, tmp4C4.tmp.19.dr, tmp77E.tmp.19.dr, tmpE8D1.tmp.19.dr, tmpE779.tmp.19.dr, tmp247.tmp.19.dr, tmpFADE.tmp.19.dr, tmpE904.tmp.19.dr, tmpC8F6.tmp.19.dr, tmpF262.tmp.19.dr, tmpEF6C.tmp.19.dr, tmp3D5.tmp.19.dr, tmpE811.tmp.19.dr, tmpD435.tmp.19.dr, tmpC84E.tmp.19.dr, tmpDFD8.tmp.19.dr, tmpD412.tmp.19.dr, tmpC86F.tmp.19.dr, tmpFDA9.tmp.19.dr, tmpEC57.tmp.19.dr, tmpE95D.tmp.19.dr, tmpECAA.tmp.19.dr, tmp75A.tmp.19.dr, tmpE9E5.tmp.19.dr, tmpE171.tmp.19.dr, tmpD9AD.tmp.19.dr, tmpEC23.tmp.19.dr, tmp7F4.tmp.19.dr, tmp36D.tmp.19.dr, tmpC629.tmp.19.dr, tmpF962.tmp.19.dr, tmpBD3.tmp.19.dr, tmp3A0.tmp.19.dr, tmpF1EA.tmp.19.dr, tmp51A.tmp.19.dr, tmpEBBC.tmp.19.dr, tmpFF77.tmp.19.dr, tmp76C.tmp.19.dr, tmpD502.tmp.19.dr, tmpDDD0.tmp.19.dr, tmpFA2E.tmp.19.dr, tmpD389.tmp.19.dr, tmpD501.tmp.19.dr, tmpDE25.tmp.19.dr, tmpD5BF.tmp.19.dr, tmpD9CE.tmp.19.dr, tmpD402.tmp.19.dr, tmpEB34.tmp.19.dr, tmpE79D.tmp.19.dr, tmpC17.tmp.19.dr, tmpEC02.tmp.19.dr, tmpEE00.tmp.19.dr, tmpD767.tmp.19.dr, tmpD28.tmp.19.dr, tmpEB9A.tmp.19.dr, tmpD733.tmp.19.dr, tmpFBCB.tmp.19.dr, tmpEEBF.tmp.19.dr, tmpDF63.tmp.19.dr, tmp2D0.tmp.19.dr, tmpFEBB.tmp.19.dr, tmpFEEE.tmp.19.dr, tmpEAA5.tmp.19.dr, tmpF2EB.tmp.19.dr, tmpE9A0.tmp.19.dr, tmpF9FA.tmp.19.dr, tmpDD69.tmp.19.dr, tmpC9F2.tmp.19.dr, tmpF0B0.tmp.19.dr, tmpD90C.tmp.19.dr, tmp43D.tmp.19.dr, tmpC8D4.tmp.19.dr, tmp593.tmp.19.dr, tmpC07.tmp.19.dr, tmpF06.tmp.19.dr, tmp43.tmp.19.dr, tmpDADF.tmp.19.dr, tmpCA8B.tmp.19.dr, tmpCC3B.tmp.19.dr, tmp3E7.tmp.19.dr, tmpC918.tmp.19.dr
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxzip64\Release\sfxzip.pdb source: Celery.exe
Source:	Binary string: RegAsm.pdbI source: RegAsm.exe, 00000013.00000002.2861250304.0000000005139000.00000004.00000020.00020000.00000000.sdmp

Source: Celery.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Celery.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Celery.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Celery.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Celery.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Celery.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_5514250

Jump to behavior

Source: Celery.exe	Static PE information: section name: .didat
Source: Celery.exe	Static PE information: section name: _RDATA
Source: scripts.dll.0.dr	Static PE information: section name: .rodata

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif

Jump to dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp847.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEF05.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC629.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFD53.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEEE3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEF5A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpCF4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF1FC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp61C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp67.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEDBC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD388.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD469.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD5D0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpA57.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFF54.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFDEF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD3AC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC5C0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEE79.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFD76.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEF7D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDE14.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC7D7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEFF5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEF28.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF1D8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFEBB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE04C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp693.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpBD4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEEC0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD3A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD2FD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD48C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD39.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp7F4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE7BF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC65B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFE88.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFF77.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDE37.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE07E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp44.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp64D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEF29.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE78C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp815.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE57D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpAE5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC605.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp670.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpB93.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpCC2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE811.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD558.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFFAA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEE56.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDE5B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD3CF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEE00.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp79F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD17.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC4B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEDBD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF263.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF1FB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEEE2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF1B6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFE33.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEE7A.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE12E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp7A0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFE66.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF05D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE172.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFDA9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp43.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEE9D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF1D9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpCA0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFDEE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDFA5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFFCC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF02A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDEB1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFE43.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF174.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDE38.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFE11.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEDDF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFF87.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE79C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp6F8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD2FE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFDAA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF07E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp7F3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDE8E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpA96.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD332.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEE57.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD2ED.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp671.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp6E7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE150.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF007.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFFA9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC604.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp74A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE0EE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFF76.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDFD8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE78B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDED3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD48D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp7C1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD4AF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE746.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFDCC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD59E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF08F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp146.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp21.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFEDD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF135.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF21F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD343.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFD54.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC29.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD459.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDEA0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFFDD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD424.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDFEB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDFB6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFD0F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDD35.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFEEE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF0F2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC5D0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD4D1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFFBA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEE22.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFE44.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDD9C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE833.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD30F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFE87.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEEAD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD401.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD3F0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDD58.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC5BF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC639.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp77D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDE7D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE747.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp89.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpCD3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEEBF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp63D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD366.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC616.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFEDC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp826.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD331.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEE45.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE160.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD447.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC81B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFFEF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp6B6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD06.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDFC8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp22.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp145.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFF32.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD58C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF006.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF1A5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEDEF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE09F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC5E2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD502.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF134.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE05C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD2DB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF262.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpBF6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE856.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFDCD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp65E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDD36.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp61B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC67D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFEEF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC63A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp694.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEF39.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFFDC.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Celery.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\scripts\scripts.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFD0E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEE23.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp66.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp122.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE05D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEF16.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD524.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC81A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp739.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE1F2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD389.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF240.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpBD3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp77E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD3AD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD402.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC59E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC6D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFF10.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFF53.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEFA0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD446.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpCD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC07.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDD57.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp8B8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEFE4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDDE1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC5E3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp101.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEF17.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF0D1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD367.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFD30.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEF9F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDE5A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpBF5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC7F9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp718.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEE44.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD2DA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEE01.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE855.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp8A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF0F3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC90.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFF31.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF0B0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDD7B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEFC2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC8F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC617.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF1A4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpAC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD58B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpCB1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpAB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp65F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD49E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD3BE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC83C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFEA9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC769.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEFB2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD56A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEF3A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEDCE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC66C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEE8B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF09F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE13F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpCE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDE26.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFD88.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp63C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp7E2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF284.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp7B1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEF6C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp55.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDDBE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpB35.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFF43.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFDDE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpA46.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD569.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp681.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp134.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDE03.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF04B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC5C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEED1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD47B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD28.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFDBA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp858.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF1EA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD39A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD2C8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF20D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDF63.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFD42.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDF93.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp78.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp6A5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD547.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE192.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE800.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEEF5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD5BF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDF14.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE758.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDDE0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFE76.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC5D1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp75B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEE68.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFD87.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC3A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE77A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFF65.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD344.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDE6C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE735.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDEE4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFF98.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFEAA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF018.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD354.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD2EC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp78E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF22F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEEAE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF1EB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp9C6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFEFF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp897.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEF6B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD49D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFD64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDE8F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDFEA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE7AE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF06D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD321.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp805.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD458.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFE00.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFCFE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEE8C.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Celery.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF1C8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDEB2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEED0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD4C1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDFC7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp6B5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD05.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDF94.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC69D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFD65.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF03B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp682.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF252.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC5AE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD501.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp10.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDE49.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFE22.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF274.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFCED.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp938.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFDBB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFFEE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC809.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF1B7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDE9F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF04C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp156.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD513.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp8E8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD378.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD59D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF017.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDDAE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDE6B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp7D2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD18.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp75A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC7E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC3B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF20E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFF21.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD2C9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpCE4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD320.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp76C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDFA4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE779.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp977.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDD47.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFD20.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE736.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp837.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDEC3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE171.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC82C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE724.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp6C7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEE34.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF029.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE821.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp9A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFFCB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFE55.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE04B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF251.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD536.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE7C0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC17.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD4C0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE845.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD412.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFD98.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEFD4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD355.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDE48.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFECB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEF8D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFE21.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEE69.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE1B2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE11E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFCEC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE02A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE79D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpA16.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDFD9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD436.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDE25.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF123.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEF8E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp33.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD3BD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE7EF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE822.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDD8B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp112.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDD69.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDDAD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC628.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD514.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD557.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp9F6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp56.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD413.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDDD0.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Celery.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\dll\VMProtectSDK32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFE99.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE844.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC7E8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp729.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD535.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEE12.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpBE4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp8C8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDD6A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEFB1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDDCF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF0C1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD57A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpBD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD3DF.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Celery.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\dll\celeryuwp.bin	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC18.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE06E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD435.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD5BE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD39B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC64B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEFD3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDDF2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC5D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpF0E2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpE759.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmp133.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpC5F4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpEEF4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpD47A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpCC3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpDE04.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\tmpFD41.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\Celery.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegAsm.exe, 00000013.00000002.2854794727.00000000028B8000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: \QEMU-GA.EXE@|-

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1			Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Memory allocated: 2670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Memory allocated: 28B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Memory allocated: 26E0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Celery.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\dll\VMProtectSDK32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Celery.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\scripts\scripts.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Celery.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\dll\celeryuwp.bin	Jump to dropped file

Source: C:\Users\user\Desktop\Celery.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Celery.exe	Code function: 0_2_00007FF6DB5AECA0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF6DB5AECA0
Source: C:\Users\user\Desktop\Celery.exe	Code function: 0_2_00007FF6DB59647C FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF6DB59647C
Source: C:\Users\user\Desktop\Celery.exe	Code function: 0_2_00007FF6DB5C30F0 FindFirstFileExA,	0_2_00007FF6DB5C30F0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Code function: 1_2_0040683D FindFirstFileW,FindClose,	1_2_0040683D
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Code function: 1_2_0040290B FindFirstFileW,	1_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Code function: 1_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405C13

Source: C:\Users\user\Desktop\Celery.exe

Code function: 0_2_00007FF6DB5B50F4 VirtualQuery,GetSystemInfo,

0_2_00007FF6DB5B50F4

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: VMProtectSDK32.dll	Binary or memory string: VMProtectSDK32.dllVMProtectActivateLicenseVMProtectBeginVMProtectBeginMutationVMProtectBeginUltraVMProtectBeginUltraLockByKeyVMProtectBeginVirtualizationVMProtectBeginVirtualizationLockByKeyVMProtectDeactivateLicenseVMProtectDecryptStringAVMProtectDecryptStringWVMProtectEndVMProtectFreeStringVMProtectGetCurrentHWIDVMProtectGetOfflineActivationStringVMProtectGetOfflineDeactivationStringVMProtectGetSerialNumberDataVMProtectGetSerialNumberStateVMProtectIsDebuggerPresentVMProtectIsProtectedVMProtectIsValidImageCRCVMProtectIsVirtualMachinePresentVMProtectSetSerialNumber
Source: VMProtectSDK32.lib	Binary or memory string: __imp__VMProtectIsVirtualMachinePresent@0
Source: VMProtectSDK32.lib	Binary or memory string: VMProtectSDK32_NULL_THUNK_DATA_VMProtectIsProtected@0__imp__VMProtectIsProtected@0_VMProtectBegin@4__imp__VMProtectBegin@4_VMProtectBeginVirtualization@4__imp__VMProtectBeginVirtualization@4_VMProtectBeginMutation@4__imp__VMProtectBeginMutation@4_VMProtectBeginUltra@4__imp__VMProtectBeginUltra@4_VMProtectBeginVirtualizationLockByKey@4__imp__VMProtectBeginVirtualizationLockByKey@4_VMProtectBeginUltraLockByKey@4__imp__VMProtectBeginUltraLockByKey@4_VMProtectEnd@0__imp__VMProtectEnd@0_VMProtectIsDebuggerPresent@4__imp__VMProtectIsDebuggerPresent@4_VMProtectIsVirtualMachinePresent@0__imp__VMProtectIsVirtualMachinePresent@0_VMProtectIsValidImageCRC@0__imp__VMProtectIsValidImageCRC@0_VMProtectDecryptStringA@4__imp__VMProtectDecryptStringA@4_VMProtectDecryptStringW@4__imp__VMProtectDecryptStringW@4_VMProtectFreeString@4__imp__VMProtectFreeString@4_VMProtectSetSerialNumber@4__imp__VMProtectSetSerialNumber@4_VMProtectGetSerialNumberState@0__imp__VMProtectGetSerialNumberState@0_VMProtectGetSerialNumberData@8__imp__VMProtectGetSerialNumberData@8_VMProtectGetCurrentHWID@8__imp__VMProtectGetCurrentHWID@8_VMProtectActivateLicense@12__imp__VMProtectActivateLicense@12_VMProtectDeactivateLicense@4__imp__VMProtectDeactivateLicense@4_VMProtectGetOfflineActivationString@12__imp__VMProtectGetOfflineActivationString@12_VMProtectGetOfflineDeactivationString@12__imp__VMProtectGetOfflineDeactivationString@12/ 1569745864 0 1714 `
Source: VMProtectSDK32.lib	Binary or memory string: _VMProtectActivateLicense@12_VMProtectBegin@4_VMProtectBeginMutation@4_VMProtectBeginUltra@4_VMProtectBeginUltraLockByKey@4_VMProtectBeginVirtualization@4_VMProtectBeginVirtualizationLockByKey@4_VMProtectDeactivateLicense@4_VMProtectDecryptStringA@4_VMProtectDecryptStringW@4_VMProtectEnd@0_VMProtectFreeString@4_VMProtectGetCurrentHWID@8_VMProtectGetOfflineActivationString@12_VMProtectGetOfflineDeactivationString@12_VMProtectGetSerialNumberData@8_VMProtectGetSerialNumberState@0_VMProtectIsDebuggerPresent@4_VMProtectIsProtected@0_VMProtectIsValidImageCRC@0_VMProtectIsVirtualMachinePresent@0_VMProtectSetSerialNumber@4__IMPORT_DESCRIPTOR_VMProtectSDK32__NULL_IMPORT_DESCRIPTOR__imp__VMProtectActivateLicense@12__imp__VMProtectBegin@4__imp__VMProtectBeginMutation@4__imp__VMProtectBeginUltra@4__imp__VMProtectBeginUltraLockByKey@4__imp__VMProtectBeginVirtualization@4__imp__VMProtectBeginVirtualizationLockByKey@4__imp__VMProtectDeactivateLicense@4__imp__VMProtectDecryptStringA@4__imp__VMProtectDecryptStringW@4__imp__VMProtectEnd@0__imp__VMProtectFreeString@4__imp__VMProtectGetCurrentHWID@8__imp__VMProtectGetOfflineActivationString@12__imp__VMProtectGetOfflineDeactivationString@12__imp__VMProtectGetSerialNumberData@8__imp__VMProtectGetSerialNumberState@0__imp__VMProtectIsDebuggerPresent@4__imp__VMProtectIsProtected@0__imp__VMProtectIsValidImageCRC@0__imp__VMProtectIsVirtualMachinePresent@0__imp__VMProtectSetSerialNumber@4
Source: VMProtectSDK32.lib	Binary or memory string: _VMProtectIsVirtualMachinePresent@0VMProtectSDK32.dll
Source: RegAsm.exe, 00000013.00000002.2854794727.00000000028B8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe@\|-
Source: VMProtectSDK32.dll	Binary or memory string: VMProtectIsVirtualMachinePresent
Source: VMProtectSDK32.lib	Binary or memory string: _VMProtectIsVirtualMachinePresent@0

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe

API call chain: ExitProcess graph end node

graph_1-3664

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Celery.exe

Code function: 0_2_00007FF6DB5BAC28 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF6DB5BAC28

Source: C:\Users\user\Desktop\Celery.exe

Code function: 0_2_00007FF6DB5C4170 GetProcessHeap,

0_2_00007FF6DB5C4170

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Celery.exe	Code function: 0_2_00007FF6DB5B5CA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF6DB5B5CA0
Source: C:\Users\user\Desktop\Celery.exe	Code function: 0_2_00007FF6DB5BAC28 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6DB5BAC28
Source: C:\Users\user\Desktop\Celery.exe	Code function: 0_2_00007FF6DB5B6AE4 SetUnhandledExceptionFilter,	0_2_00007FF6DB5B6AE4
Source: C:\Users\user\Desktop\Celery.exe	Code function: 0_2_00007FF6DB5B6900 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6DB5B6900

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif

Memory written: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe base: 540000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif	Memory written: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe base: 540000			Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif	Memory written: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe base: 78F000			Jump to behavior

Source: C:\Users\user\Desktop\Celery.exe

Code function: 0_2_00007FF6DB5AECA0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF6DB5AECA0

Source: C:\Users\user\Desktop\Celery.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Earned Earned.cmd && Earned.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 1101	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "CalculationsExpediaJumpExchanges" Application	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Trials + Explains + External + Fighting + Get + Rights 1101\z	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif 1101\Spy.pif 1101\z	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Jump to behavior

Source: Sp

Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning

Source: C:\Users\user\Desktop\Celery.exe

Code function: 0_2_00007FF6DB59DB98 cpuid

0_2_00007FF6DB59DB98

Source: C:\Users\user\Desktop\Celery.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00007FF6DB5ADE04

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\modern.fon VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\roman.fon VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\script.fon VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\coure.fon VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\courf.fon VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\seriff.fon VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\sserife.fon VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\sseriff.fon VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\smalle.fon VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\smallf.fon VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Celery.exe

Code function: 0_2_00007FF6DB5B3FCC GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF6DB5B3FCC

Source: C:\Users\user\Desktop\Celery.exe

Code function: 0_2_00007FF6DB596768 GetVersionExW,

0_2_00007FF6DB596768

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 19.2.RegAsm.exe.540000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.2851258914.0000000000542000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 19.2.RegAsm.exe.540000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.2851258914.0000000000542000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match

File source: 19.2.RegAsm.exe.540000.0.unpack, type: UNPACKEDPE

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 19.2.RegAsm.exe.540000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.2851258914.0000000000542000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 19.2.RegAsm.exe.540000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.2851258914.0000000000542000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match

File source: 19.2.RegAsm.exe.540000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Masquerading	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Virtualization/Sandbox Evasion	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	212 Process Injection	1 Disable or Modify Tools	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Clipboard Data	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Access Token Manipulation	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	212 Process Injection	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	3 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	38 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Celery.exe	15%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif	7%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif	3%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe	13%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\RarSFX0\dll\VMProtectSDK32.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\dll\VMProtectSDK32.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\RarSFX0\dll\celeryuwp.bin	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\dll\celeryuwp.bin	3%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\RarSFX0\scripts\scripts.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\scripts\scripts.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\tmp1.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\tmp1.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\tmp10.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\tmp10.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\tmp101.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\tmp101.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\tmp112.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\tmp112.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\tmp122.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\tmp122.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\tmp133.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\tmp133.tmp	0%	Virustotal	Browse

Source	Detection	Scanner	Label	Link
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
https://primetimeenablement.sc.omtrdc.net/b/ss//6primesample2	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://dashif.org/guidelines/trickmode	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	Avira URL Cloud	safe
http://dashif.org/guidelines/trickmode1	0%	Avira URL Cloud	safe
http://cdn2.auditude.com/assets/3p/vService	0%	Avira URL Cloud	safe
http://www.macromedia.comhttps://www.macromedia.com/support/flashplayer/sys/&amp	0%	Avira URL Cloud	safe
https://discord.com/api/v9/users/	0%	Avira URL Cloud	safe
http://cdn2.auditude.com/assets/3p/vService	0%	Virustotal		Browse
http://www.zhongyicts.com.cn	0%	Avira URL Cloud	safe
https://auth.adobefpl.com/1/	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/TheSeaweedMonster/Luau/main/saveinstance.lua	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/cThe	0%	Virustotal		Browse
http://%shttp://a.SharedObject.BadPersistenceSharedObject.UriMismatchpendingReserved	0%	Avira URL Cloud	safe
https://auth.adobefpl.com/1/	0%	Virustotal		Browse
https://primetimeenablement.sc.omtrdc.net/b/ss//6primesample2	0%	Virustotal		Browse
https://raw.githubusercontent.com/TheSeaweedMonster/Luau/main/saveinstance.lua	1%	Virustotal		Browse
http://www.founder.com.cn/cn	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	Virustotal		Browse
http://ad./adserver/e?type=playererrorhttp://ad.auditude.com/adserver/e?type=playererror//_.dashmpd&	0%	Avira URL Cloud	safe
http://dashif.org/guidelines/trickmode1	0%	Virustotal		Browse
https://primetimeenablement.sc.omtrdc.net/b/ss//6	0%	Avira URL Cloud	safe
http://ad.auditude.com/adserver/e?type=playererror	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn	1%	Virustotal		Browse
http://ad./adserver?tm=15&u=&u=&l=&z=&of=1.4&g=Auditude	0%	Avira URL Cloud	safe
http://cdn2.auditude.com/assets/3p/v	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/TheSeaweedMonster/Luau/main/decompile.lua	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	Virustotal		Browse
https://primetimeenablement.sc.omtrdc.net/b/ss//6	0%	Virustotal		Browse
http://cdn2.auditude.com/assets/3p/v	0%	Virustotal		Browse
http://ad.auditude.com/adserver/e?type=playererror	0%	Virustotal		Browse
https://discord.com/api/v9/users/	0%	Virustotal		Browse
https://raw.githubusercontent.com/TheSeaweedMonster/Luau/main/decompile.lua	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
jVkuFBkAgxQTjEleejFjuecf.jVkuFBkAgxQTjEleejFjuecf	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.macromedia.com	scripts.dll	false		high
http://www.fontbureau.com/designers/?	RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://fpdownload2.macromedia.com/get/flashplayer/update/current/xml/version_	scripts.dll	false		high
http://www.founder.com.cn/cn/bThe	RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://docs.rackspacecloud.com/servers/api/v1.0	celeryuwp.bin	false		high
http://www.fontbureau.com/designers?	RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/	scripts.dll	false		high
http://www.tiro.com	RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://primetimeenablement.sc.omtrdc.net/b/ss//6primesample2	scripts.dll	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.autoitscript.com/autoit3/	Riders	false		high
http://s3.amazonaws.com/venkat-test/ads/camry/file-640k.m3u82L	scripts.dll	false		high
http://www.openssl.org/support/faq.html	scripts.dll	false		high
http://www.sajatypeworks.com	RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://cdn2.auditude.com/assets/3p/vService	scripts.dll	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://s3.amazonaws.com/venkat-test/ads/camry/file-640k.m3u8	scripts.dll	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	scripts.dll	false		high
http://www.macromedia.com/go/player_settings_	scripts.dll	false		high
http://dashif.org/guidelines/trickmode1	scripts.dll	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.macromedia.comhttps://www.macromedia.com/support/flashplayer/sys/&amp	scripts.dll	false	Avira URL Cloud: safe	unknown
https://discord.com/api/v9/users/	RegAsm.exe, 00000013.00000002.2854794727.00000000028B8000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.sakkal.com	RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.autoitscript.com/autoit3/J	Sp	false		high
http://www.apache.org/licenses/LICENSE-2.0	RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ip.sb/ip	RegAsm.exe, 00000013.00000002.2854794727.00000000028B8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://auth.adobefpl.com/1/	scripts.dll	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/TheSeaweedMonster/Luau/main/saveinstance.lua	celeryuwp.bin	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	scripts.dll	false	URL Reputation: safe	unknown
http://%shttp://a.SharedObject.BadPersistenceSharedObject.UriMismatchpendingReserved	scripts.dll	false	Avira URL Cloud: safe	low
http://nsis.sf.net/NSIS_ErrorError	Celery V3.exe	false		high
http://www.carterandcone.coml	RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.openssl.org/support/faq.html....................	scripts.dll	false		high
http://ad./adserver/e?type=playererrorhttp://ad.auditude.com/adserver/e?type=playererror//_.dashmpd&	scripts.dll	false	Avira URL Cloud: safe	unknown
http://fpdownload2.macromedia.com/get/	scripts.dll	false		high
http://www.jiyu-kobo.co.jp/	RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://primetimeenablement.sc.omtrdc.net/b/ss//6	scripts.dll	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ad.auditude.com/adserver/e?type=playererror	scripts.dll	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://dashif.org/guidelines/trickmode	scripts.dll	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	RegAsm.exe, 00000013.00000002.2862276175.0000000005DC2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.macromedia.com/go/player_settings_.Unmuted.MutedCamera.UnmutedCamera.MutedMicrophone.Unmu	scripts.dll	false		high
http://ad./adserver?tm=15&u=&u=&l=&z=&of=1.4&g=Auditude	scripts.dll	false	Avira URL Cloud: safe	unknown
https://www.macromedia.com/bin/flashdownload.cgi	scripts.dll	false		high
https://www.macromedia.com/support/flashplayer/sys/	scripts.dll	false		high
https://fpdownload.macromedia.com/get/	scripts.dll	false		high
https://raw.githubusercontent.com/TheSeaweedMonster/Luau/main/decompile.lua	celeryuwp.bin	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://cdn2.auditude.com/assets/3p/v	scripts.dll	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://fpdownload2.macromedia.com/get/https://fpdownload.macromedia.com/get/https://www.macromedia.c	scripts.dll	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1432517
Start date and time:	2024-04-27 12:00:12 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Celery.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@27/1065@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 109 Number of non-executed functions: 93
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:01:46	API Interceptor	673x Sleep call for process: Spy.pif modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe	qBSw7aeXEM.exe	Get hash	malicious	RedLine	Browse
	AWB NO. 077-57676135.exe	Get hash	malicious	AgentTesla	Browse
	z4aHc5RDMN.exe	Get hash	malicious	RedLine	Browse
	hesaphareketi-01.pdf.SCR.exe	Get hash	malicious	AgentTesla	Browse
	hesaphareketi_1.SCR.exe	Get hash	malicious	AgentTesla	Browse
	remasdasd.exe	Get hash	malicious	XWorm	Browse
	9safSk1jJz.exe	Get hash	malicious	RedLine	Browse
	OZQB66iRBr.exe	Get hash	malicious	RisePro Stealer	Browse
	BXQ4Nv60Rl.exe	Get hash	malicious	RisePro Stealer	Browse
	nq5gQXmhPL.exe	Get hash	malicious	RisePro Stealer	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif	qBSw7aeXEM.exe	Get hash	malicious	RedLine	Browse
	file.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	z4aHc5RDMN.exe	Get hash	malicious	RedLine	Browse
	file.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	DisabilityCharge.exe	Get hash	malicious	RHADAMANTHYS	Browse
	SA161.pdf.lnk	Get hash	malicious	RHADAMANTHYS	Browse
	DisabilityCharge.exe	Get hash	malicious	RHADAMANTHYS	Browse
	Factura_SA161.pdf.lnk	Get hash	malicious	RHADAMANTHYS	Browse
	remasdasd.exe	Get hash	malicious	XWorm	Browse
	SOmgV48NPL.exe	Get hash	malicious	RHADAMANTHYS	Browse

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	65440
Entropy (8bit):	6.049806962480652
Encrypted:	false
SSDEEP:	768:X8XcJiMjm2ieHlPyCsSuJbn8dBhFwlSMF6Iq8KSYDKbQ22qWqO8w1R:rYMaNylPYSAb8dBnsHsPDKbQBqTY
MD5:	0D5DF43AF2916F47D00C1573797C1A13
SHA1:	230AB5559E806574D26B4C20847C368ED55483B0
SHA-256:	C066AEE7AA3AA83F763EBC5541DAA266ED6C648FBFFCDE0D836A13B221BB2ADC
SHA-512:	F96CF9E1890746B12DAF839A6D0F16F062B72C1B8A40439F96583F242980F10F867720232A6FA0F7D4D7AC0A7A6143981A5A130D6417EA98B181447134C7CFE2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: qBSw7aeXEM.exe, Detection: malicious, Browse Filename: AWB NO. 077-57676135.exe, Detection: malicious, Browse Filename: z4aHc5RDMN.exe, Detection: malicious, Browse Filename: hesaphareketi-01.pdf.SCR.exe, Detection: malicious, Browse Filename: hesaphareketi_1.SCR.exe, Detection: malicious, Browse Filename: remasdasd.exe, Detection: malicious, Browse Filename: 9safSk1jJz.exe, Detection: malicious, Browse Filename: OZQB66iRBr.exe, Detection: malicious, Browse Filename: BXQ4Nv60Rl.exe, Detection: malicious, Browse Filename: nq5gQXmhPL.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0.............^.... ........@.. ....................... .......F....`.....................................O.......8................A........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P.....0.."........(......-.r...p.rI..p(....s....z....0..........(....~P.....o........(....n(.....(..........%...(....~(.....(..........%...%...(.....(.....(..........%...%...%...(....V.(......}Q.....}R.....{Q.....{R......0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	893608
Entropy (8bit):	6.620254876639106
Encrypted:	false
SSDEEP:	12288:DpVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31troPTdFqgaAV2M0L:DT3E53Myyzl0hMf1te7xaA8M0L
MD5:	6EE7DDEBFF0A2B78C7AC30F6E00D1D11
SHA1:	F2F57024C7CC3F9FF5F999EE20C4F5C38BFC20A2
SHA-256:	865347471135BB5459AD0E647E75A14AD91424B6F13A5C05D9ECD9183A8A1CF4
SHA-512:	57D56DE2BB882F491E633972003D7C6562EF2758C3731B913FF4D15379ADA575062F4DE2A48CA6D6D9241852A5B8A007F52792753FD8D8FEE85B9A218714EFD0
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 7% Antivirus: Virustotal, Detection: 3%, Browse
Joe Sandbox View:	Filename: qBSw7aeXEM.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: z4aHc5RDMN.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: DisabilityCharge.exe, Detection: malicious, Browse Filename: SA161.pdf.lnk, Detection: malicious, Browse Filename: DisabilityCharge.exe, Detection: malicious, Browse Filename: Factura_SA161.pdf.lnk, Detection: malicious, Browse Filename: remasdasd.exe, Detection: malicious, Browse Filename: SOmgV48NPL.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L......Z.........."...............................@.................................Jo....@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Desktop\Celery.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	157301232
Entropy (8bit):	0.12644263202808903
Encrypted:	false
SSDEEP:	24576:9NkQG2LDAjjh8KrrQD5vyII4fBVYT6EnSMrefVy7:7ard9re6IvfbgF177
MD5:	06E7DDAE83EEE00448A508F9BADAB598
SHA1:	C6CEC77B57BC0347A1D6630241312B28A55BA87F
SHA-256:	B26315F2003B6B636B74C6AAC13FEFF2B98B465D8DC9E00B5EB239A46538AE98
SHA-512:	218C1291211A0B50D38F048355169E9DF6FDCC2E8D44E74382B19295613D107E1D2649524D0B3F383B1284C243456C61492F4EC8A1311132B9B6A5047D088934
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 13%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L....Oa.................f...*.......4............@.......................................@...........................................................`..9...........................................................................................text....e.......f.................. ..`.rdata...............j..............@..@.data...8............~..............@....ndata...................................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.974946893120815
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Celery.exe
File size:	13'919'256 bytes
MD5:	42c32b8ee377ce3bcf36f51fb7bc93a8
SHA1:	819d0926c93704884a882967d820d6f753732d37
SHA256:	c91c0745dcd02dbffa34747dd26e85e3e124a62d0812c125b6bc67792b66c8dc
SHA512:	d9c5d1a4ab4c873d819a36d6b2219667d01cd5007a6c1f9c8828c5bd0f0907a56ec1cdf3339274805db53e572c1a259f8193ad8738e0f6e4b8caceec5a84b284
SSDEEP:	393216:uEtDIsayzJASQzBVLw1HY80t92B3s6Mo85oZBn55i1C:uEVHZASUYH50tCVdmoZB55iA
TLSH:	93E63388E7C501E5D0A6EA39CDA78D04F7363C062B32579F86B4017A2EA7751CE3E752
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........B#..,p..,p..,p.:.p..,p.:.p5.,p.:.p..,p<..p..,p<.(q..,p<./q..,p<.)q..,p...p..,p...p..,p...p..,p..-p..,p2.)q..,p2.,q..,p2..p..,

Entrypoint:	0x140026670
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x65DC5383 [Mon Feb 26 09:01:55 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	e8a30656287fe831c9782204ed10cd68

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x4b1e0	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4b214	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x71000	0xe360	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x6c000	0x2ab4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x80000	0x938	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x460e0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x46180	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3de10	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3b000	0x4a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x4a4ac	0x100	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3988e	0x39a00	2e51ec74609fbaf5c08ca97ff655ea65	False	0.5453963869305857	data	6.4643560143194545	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3b000	0x1118c	0x11200	95dee35be54e2acf2d2e961bb0d495e8	False	0.44718008667883213	data	5.216118347289193	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4d000	0x1ef5c	0x1a00	148867e92396c2a403730872d91149f7	False	0.2765925480769231	DOS executable (block device driver o\3050)	3.1779391259225855	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x6c000	0x2ab4	0x2c00	d3d5c7ef0e59ba49d0bb4142316d42d5	False	0.47993607954545453	data	5.395487196100669	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0x6f000	0x308	0x400	f83dedcddf9ceb5084b7159064aebc44	False	0.23828125	data	2.796337056872422	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
_RDATA	0x70000	0x15c	0x200	4a3322e97146b4fbd4ed6f2bbc580541	False	0.408203125	data	3.318036041719511	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x71000	0xe360	0xe400	de9f51d017ba3a6fbb2d9d60d0118abb	False	0.6301226699561403	data	6.59668280263086	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x80000	0x938	0xa00	c057cd0b29d094da3cebf433be170d6d	False	0.498828125	data	5.228587706357198	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
PNG	0x71680	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	English	United States	1.0027729636048528
PNG	0x721c8	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	English	United States	0.9363390441839495
RT_ICON	0x73778	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.47832369942196534
RT_ICON	0x73ce0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.5410649819494585
RT_ICON	0x74588	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors	English	United States	0.4933368869936034
RT_ICON	0x75430	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m	English	United States	0.5390070921985816
RT_ICON	0x75898	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m	English	United States	0.41393058161350843
RT_ICON	0x76940	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m	English	United States	0.3479253112033195
RT_ICON	0x78ee8	0x3d71	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9809269502193401
RT_DIALOG	0x7d5b8	0x286	data	English	United States	0.5092879256965944
RT_DIALOG	0x7d388	0x13a	data	English	United States	0.60828025477707
RT_DIALOG	0x7d4c8	0xec	data	English	United States	0.6991525423728814
RT_DIALOG	0x7d258	0x12e	data	English	United States	0.5927152317880795
RT_DIALOG	0x7cf20	0x338	data	English	United States	0.45145631067961167
RT_DIALOG	0x7ccc8	0x252	data	English	United States	0.5757575757575758
RT_STRING	0x7df98	0x1e2	data	English	United States	0.3900414937759336
RT_STRING	0x7e180	0x1cc	data	English	United States	0.4282608695652174
RT_STRING	0x7e350	0x1b8	data	English	United States	0.45681818181818185
RT_STRING	0x7e508	0x146	data	English	United States	0.5153374233128835
RT_STRING	0x7e650	0x46c	data	English	United States	0.3454063604240283
RT_STRING	0x7eac0	0x166	data	English	United States	0.49162011173184356
RT_STRING	0x7ec28	0x152	data	English	United States	0.5059171597633136
RT_STRING	0x7ed80	0x10a	data	English	United States	0.49624060150375937
RT_STRING	0x7ee90	0xbc	data	English	United States	0.6329787234042553
RT_STRING	0x7ef50	0x1c0	data	English	United States	0.5178571428571429
RT_STRING	0x7f110	0x250	data	English	United States	0.44256756756756754
RT_GROUP_ICON	0x7cc60	0x68	data	English	United States	0.7019230769230769
RT_MANIFEST	0x7d840	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3957333333333333

DLL	Import
KERNEL32.dll	LocalFree, GetLastError, SetLastError, FormatMessageW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileTime, CloseHandle, CreateFileW, GetCurrentProcessId, CreateDirectoryW, RemoveDirectoryW, SetFileAttributesW, GetFileAttributesW, DeleteFileW, MoveFileW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetCurrentProcess, GetExitCodeProcess, WaitForSingleObject, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapReAlloc, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, SetEvent, ResetEvent, WaitForSingleObjectEx, CreateEventW, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlPcToFileHeader, RtlUnwindEx, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipCloneImage, GdipAlloc, GdipDisposeImage, GdipCreateBitmapFromStream, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 27, 2024 12:01:09.363820076 CEST	51899	53	192.168.2.4	1.1.1.1
Apr 27, 2024 12:01:09.456336021 CEST	53	51899	1.1.1.1	192.168.2.4

Target ID:	0
Start time:	12:00:56
Start date:	27/04/2024
Path:	C:\Users\user\Desktop\Celery.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Celery.exe"
Imagebase:	0x7ff6db590000
File size:	13'919'256 bytes
MD5 hash:	42C32B8EE377CE3BCF36F51FB7BC93A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	1
Start time:	12:01:02
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\RarSFX0\Celery V3.exe"
Imagebase:	0x400000
File size:	157'301'232 bytes
MD5 hash:	06E7DDAE83EEE00448A508F9BADAB598
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 13%, Virustotal, Browse
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	12:01:05
Start date:	27/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c move Earned Earned.cmd && Earned.cmd
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	12:01:06
Start date:	27/04/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xd0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	6
Start time:	12:01:07
Start date:	27/04/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xd0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	19
Start time:	12:02:33
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe
Imagebase:	0x460000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000013.00000002.2851258914.0000000000542000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000013.00000002.2851258914.0000000000542000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	high
Has exited:	false

Target ID:	20
Start time:	12:02:38
Start date:	27/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Execution Coverage:	14.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	31.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	31

Execution Coverage:	18.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	13.5%
Total number of Nodes:	1373
Total number of Limit Nodes:	22

Execution Coverage:	15.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	16
Total number of Limit Nodes:	1

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Celery.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\RegAsm.exe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\Spy.pif

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\1101\z

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Application

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Earned

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Earned.cmd (copy)

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Explains

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\External

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Facing

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Fighting

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Get

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Nested

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Riders

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Rights

Windows Analysis Report
Celery.exe

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre