Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
tKBxw8eOIV.exe

Overview

General Information

Sample name:tKBxw8eOIV.exe
renamed because original name is a hash value
Original sample name:51f4cfbe1c4f38beb7d4185086720317.exe
Analysis ID:1628986
MD5:51f4cfbe1c4f38beb7d4185086720317
SHA1:759e7e67ecc0b034d706125d6e2602c6051d2f63
SHA256:9e485a81d02dcd866ff2b63734bd9e5331319d6c6bd8c2aac53ef9e366556fcb
Tags:exeSocks5Systemzuser-abuse_ch
Infos:

Detection

Socks5Systemz
Score:84
Range:0 - 100
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
Yara detected Socks5Systemz
Contains functionality to infect the boot sector
Joe Sandbox ML detected suspicious sample
PE file has a writeable .text section
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • tKBxw8eOIV.exe (PID: 6880 cmdline: "C:\Users\user\Desktop\tKBxw8eOIV.exe" MD5: 51F4CFBE1C4F38BEB7D4185086720317)
    • tKBxw8eOIV.tmp (PID: 6236 cmdline: "C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmp" /SL5="$20438,3471488,56832,C:\Users\user\Desktop\tKBxw8eOIV.exe" MD5: A68E919AA98AF0107E6C6C200955EF9C)
      • smartfiledefrag13.exe (PID: 6212 cmdline: "C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exe" -i MD5: 483573178F49D6667013866FB10AB1CB)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.4020546247.00000000023A1000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
    00000003.00000002.4020890820.000000000268B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
      Process Memory Space: smartfiledefrag13.exe PID: 6212JoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security

        Sigma Signatures

        No Sigma rule has matched

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2025-03-04T10:38:29.348390+010020287653Unknown Traffic192.168.2.649985176.113.115.96443TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2025-03-04T10:38:29.812993+010028032742Potentially Bad Traffic192.168.2.649985176.113.115.96443TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: tKBxw8eOIV.exeVirustotal: Detection: 19%Perma Link
        Joe Sandbox ML detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_0045D230 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,2_2_0045D230
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_0045D2E4 ArcFourCrypt,2_2_0045D2E4
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_0045D2FC ArcFourCrypt,2_2_0045D2FC
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_10001000 ISCryptGetVersion,2_2_10001000
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_10001130 ArcFourCrypt,2_2_10001130

        Compliance

        barindex
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeUnpacked PE file: 3.2.smartfiledefrag13.exe.400000.0.unpack
        Source: tKBxw8eOIV.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Smart File Defrag_is1Jump to behavior
        Source: unknownHTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.6:49985 version: TLS 1.2
        Source: tKBxw8eOIV.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: Binary string: msvcp100.i386.pdb source: is-AQM23.tmp.2.dr
        Source: Binary string: msvcr100.i386.pdb source: is-5P6NV.tmp.2.dr
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_00452AD4 FindFirstFileA,GetLastError,2_2_00452AD4
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_00475798 FindFirstFileA,FindNextFileA,FindClose,2_2_00475798
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_0046417C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,2_2_0046417C
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_004645F8 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,2_2_004645F8
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_00462BF0 FindFirstFileA,FindNextFileA,FindClose,2_2_00462BF0
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_00498FDC FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,2_2_00498FDC
        Source: Joe Sandbox ViewIP Address: 176.113.115.96 176.113.115.96
        Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
        Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.6:49985 -> 176.113.115.96:443
        Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49985 -> 176.113.115.96:443
        Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38f926d19fe6595cd66946851e91fcd85241ab258d81329326be8e343a8f51f8a95b5ca212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d4348dd4da955d4ccd HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
        Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.96
        Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.96
        Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.96
        Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.96
        Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.96
        Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.96
        Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.96
        Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.96
        Source: unknownTCP traffic detected without corresponding DNS query: 176.113.115.96
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_023DD675 CloseHandle,LdrInitializeThunk,InternetReadFile,LdrInitializeThunk,3_2_023DD675
        Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38f926d19fe6595cd66946851e91fcd85241ab258d81329326be8e343a8f51f8a95b5ca212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d4348dd4da955d4ccd HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 176.113.115.96
        Source: is-GR8PB.tmp.2.dr, is-LCDEV.tmp.2.drString found in binary or memory: http://icu-project.org
        Source: tKBxw8eOIV.tmp, 00000002.00000002.4020195154.0000000005C8A000.00000004.00001000.00020000.00000000.sdmp, smartfiledefrag13.exe, 00000003.00000003.2181736491.0000000002648000.00000004.00000020.00020000.00000000.sdmp, smartfiledefrag13.exe, 00000003.00000000.2181054207.000000000065C000.00000002.00000001.01000000.00000009.sdmp, smartfiledefrag13.exe.2.dr, SmartFileDefrag.exe.3.dr, is-8F7LH.tmp.2.drString found in binary or memory: http://www.countnow.ru
        Source: tKBxw8eOIV.tmp, tKBxw8eOIV.tmp, 00000002.00000002.4018943988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, tKBxw8eOIV.tmp.0.dr, is-5482O.tmp.2.drString found in binary or memory: http://www.innosetup.com/
        Source: tKBxw8eOIV.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
        Source: tKBxw8eOIV.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
        Source: tKBxw8eOIV.exe, 00000000.00000003.2161032856.0000000002128000.00000004.00001000.00020000.00000000.sdmp, tKBxw8eOIV.exe, 00000000.00000003.2160780335.0000000002350000.00000004.00001000.00020000.00000000.sdmp, tKBxw8eOIV.tmp, tKBxw8eOIV.tmp, 00000002.00000002.4018943988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, tKBxw8eOIV.tmp.0.dr, is-5482O.tmp.2.drString found in binary or memory: http://www.remobjects.com/ps
        Source: tKBxw8eOIV.exe, 00000000.00000003.2161032856.0000000002128000.00000004.00001000.00020000.00000000.sdmp, tKBxw8eOIV.exe, 00000000.00000003.2160780335.0000000002350000.00000004.00001000.00020000.00000000.sdmp, tKBxw8eOIV.tmp, 00000002.00000002.4018943988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, tKBxw8eOIV.tmp.0.dr, is-5482O.tmp.2.drString found in binary or memory: http://www.remobjects.com/psU
        Source: smartfiledefrag13.exe, 00000003.00000002.4019290046.00000000008F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/
        Source: smartfiledefrag13.exe, 00000003.00000002.4019290046.00000000008F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/Z
        Source: smartfiledefrag13.exe, 00000003.00000002.4019290046.0000000000905000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f926d19fe6595cd66946851e91fcd85241
        Source: tKBxw8eOIV.exe, 00000000.00000003.2160476522.0000000002121000.00000004.00001000.00020000.00000000.sdmp, tKBxw8eOIV.exe, 00000000.00000002.4019373102.0000000002121000.00000004.00001000.00020000.00000000.sdmp, tKBxw8eOIV.exe, 00000000.00000003.2160402309.0000000002350000.00000004.00001000.00020000.00000000.sdmp, tKBxw8eOIV.tmp, 00000002.00000003.2162931488.0000000002128000.00000004.00001000.00020000.00000000.sdmp, tKBxw8eOIV.tmp, 00000002.00000002.4019719142.0000000002128000.00000004.00001000.00020000.00000000.sdmp, tKBxw8eOIV.tmp, 00000002.00000003.2162852704.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, tKBxw8eOIV.tmp, 00000002.00000002.4019287541.00000000006C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.easycutstudio.com/support.html
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49985
        Source: unknownNetwork traffic detected: HTTP traffic on port 49985 -> 443
        Source: unknownHTTPS traffic detected: 176.113.115.96:443 -> 192.168.2.6:49985 version: TLS 1.2

        System Summary

        barindex
        PE file has a writeable .text section
        Source: smartfiledefrag13.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        Source: SmartFileDefrag.exe.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_0042F594 NtdllDefWindowProc_A,2_2_0042F594
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_00423B94 NtdllDefWindowProc_A,2_2_00423B94
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_004125E8 NtdllDefWindowProc_A,2_2_004125E8
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_00479380 NtdllDefWindowProc_A,2_2_00479380
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_0045763C PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,2_2_0045763C
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_0042E944: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,2_2_0042E944
        Source: C:\Users\user\Desktop\tKBxw8eOIV.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_0045568C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,2_2_0045568C
        Source: C:\Users\user\Desktop\tKBxw8eOIV.exeCode function: 0_2_0040840C0_2_0040840C
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_00470C742_2_00470C74
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_0043533C2_2_0043533C
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_004813C42_2_004813C4
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_004678482_2_00467848
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_004303D02_2_004303D0
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_0044453C2_2_0044453C
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_004885E02_2_004885E0
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_004346382_2_00434638
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_00444AE42_2_00444AE4
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_0048ED0C2_2_0048ED0C
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_00430F5C2_2_00430F5C
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_0045F16C2_2_0045F16C
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_004451DC2_2_004451DC
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_0045B21C2_2_0045B21C
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_004455E82_2_004455E8
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_004876802_2_00487680
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_0046989C2_2_0046989C
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_00451A302_2_00451A30
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_0043DDC42_2_0043DDC4
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_004010003_2_00401000
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_004067B73_2_004067B7
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_609660FA3_2_609660FA
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6092114F3_2_6092114F
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6091F2C93_2_6091F2C9
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6096923E3_2_6096923E
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6093323D3_2_6093323D
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6095C3143_2_6095C314
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_609503123_2_60950312
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6094D33B3_2_6094D33B
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6093B3683_2_6093B368
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6096748C3_2_6096748C
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6093F42E3_2_6093F42E
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_609544703_2_60954470
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_609615FA3_2_609615FA
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6096A5EE3_2_6096A5EE
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6096D6A43_2_6096D6A4
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_609606A83_2_609606A8
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_609326543_2_60932654
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_609556653_2_60955665
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6094B7DB3_2_6094B7DB
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6092F74D3_2_6092F74D
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_609648073_2_60964807
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6094E9BC3_2_6094E9BC
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_609379293_2_60937929
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6093FAD63_2_6093FAD6
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6096DAE83_2_6096DAE8
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6094DA3A3_2_6094DA3A
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_60936B273_2_60936B27
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_60954CF63_2_60954CF6
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_60950C6B3_2_60950C6B
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_60966DF13_2_60966DF1
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_60963D353_2_60963D35
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_60909E9C3_2_60909E9C
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_60951E863_2_60951E86
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_60912E0B3_2_60912E0B
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_60954FF83_2_60954FF8
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_023C2A803_2_023C2A80
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_023BBAFD3_2_023BBAFD
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_023BD32F3_2_023BD32F
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_023AE0893_2_023AE089
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_023B70C03_2_023B70C0
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_023BB6093_2_023BB609
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_023C267D3_2_023C267D
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_023BBF153_2_023BBF15
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_023B874A3_2_023B874A
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_023C0DB43_2_023C0DB4
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: String function: 023C2A10 appears 135 times
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: String function: 023B7760 appears 32 times
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: String function: 00408C1C appears 45 times
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: String function: 00406AD4 appears 45 times
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: String function: 0040596C appears 117 times
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: String function: 00407904 appears 43 times
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: String function: 00403400 appears 60 times
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: String function: 00445E48 appears 45 times
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: String function: 00457FC4 appears 77 times
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: String function: 00457DB8 appears 102 times
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: String function: 00434550 appears 32 times
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: String function: 00403494 appears 85 times
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: String function: 004533B8 appears 98 times
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: String function: 00446118 appears 58 times
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: String function: 00403684 appears 229 times
        Source: tKBxw8eOIV.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
        Source: tKBxw8eOIV.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
        Source: tKBxw8eOIV.tmp.0.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
        Source: is-5482O.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
        Source: is-5482O.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
        Source: is-5482O.tmp.2.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
        Source: sqlite3.dll.3.drStatic PE information: Number of sections : 19 > 10
        Source: is-9UG3I.tmp.2.drStatic PE information: Number of sections : 19 > 10
        Source: tKBxw8eOIV.exe, 00000000.00000003.2161032856.0000000002128000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs tKBxw8eOIV.exe
        Source: tKBxw8eOIV.exe, 00000000.00000003.2160780335.0000000002350000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs tKBxw8eOIV.exe
        Source: tKBxw8eOIV.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
        Source: classification engineClassification label: mal84.troj.evad.winEXE@5/32@0/1
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_023AF8D0 _memset,FormatMessageA,GetLastError,FormatMessageA,GetLastError,3_2_023AF8D0
        Source: C:\Users\user\Desktop\tKBxw8eOIV.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_0045568C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,2_2_0045568C
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_00455EB4 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,2_2_00455EB4
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: CreateServiceA,CloseServiceHandle,CloseServiceHandle,3_2_00401EEF
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_0046E5B8 GetVersion,CoCreateInstance,2_2_0046E5B8
        Source: C:\Users\user\Desktop\tKBxw8eOIV.exeCode function: 0_2_00409C34 FindResourceA,SizeofResource,LoadResource,LockResource,0_2_00409C34
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_0040D94D StartServiceCtrlDispatcherA,3_2_0040D94D
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_0040D94D StartServiceCtrlDispatcherA,3_2_0040D94D
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
        Source: C:\Users\user\Desktop\tKBxw8eOIV.exeFile created: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpFile read: C:\Windows\win.iniJump to behavior
        Source: C:\Users\user\Desktop\tKBxw8eOIV.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
        Source: smartfiledefrag13.exe, smartfiledefrag13.exe, 00000003.00000003.2182652428.000000000082A000.00000004.00000020.00020000.00000000.sdmp, smartfiledefrag13.exe, 00000003.00000002.4021764200.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-9UG3I.tmp.2.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
        Source: smartfiledefrag13.exe, 00000003.00000003.2182652428.000000000082A000.00000004.00000020.00020000.00000000.sdmp, smartfiledefrag13.exe, 00000003.00000002.4021764200.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-9UG3I.tmp.2.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
        Source: smartfiledefrag13.exe, smartfiledefrag13.exe, 00000003.00000003.2182652428.000000000082A000.00000004.00000020.00020000.00000000.sdmp, smartfiledefrag13.exe, 00000003.00000002.4021764200.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-9UG3I.tmp.2.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
        Source: smartfiledefrag13.exe, 00000003.00000003.2182652428.000000000082A000.00000004.00000020.00020000.00000000.sdmp, smartfiledefrag13.exe, 00000003.00000002.4021764200.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-9UG3I.tmp.2.drBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
        Source: smartfiledefrag13.exe, 00000003.00000003.2182652428.000000000082A000.00000004.00000020.00020000.00000000.sdmp, smartfiledefrag13.exe, 00000003.00000002.4021764200.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-9UG3I.tmp.2.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
        Source: smartfiledefrag13.exe, 00000003.00000003.2182652428.000000000082A000.00000004.00000020.00020000.00000000.sdmp, smartfiledefrag13.exe, 00000003.00000002.4021764200.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-9UG3I.tmp.2.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
        Source: smartfiledefrag13.exe, 00000003.00000003.2182652428.000000000082A000.00000004.00000020.00020000.00000000.sdmp, smartfiledefrag13.exe, 00000003.00000002.4021764200.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-9UG3I.tmp.2.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
        Source: smartfiledefrag13.exe, 00000003.00000003.2182652428.000000000082A000.00000004.00000020.00020000.00000000.sdmp, smartfiledefrag13.exe, 00000003.00000002.4021764200.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-9UG3I.tmp.2.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
        Source: smartfiledefrag13.exe, 00000003.00000003.2182652428.000000000082A000.00000004.00000020.00020000.00000000.sdmp, smartfiledefrag13.exe, 00000003.00000002.4021764200.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-9UG3I.tmp.2.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
        Source: smartfiledefrag13.exe, 00000003.00000003.2182652428.000000000082A000.00000004.00000020.00020000.00000000.sdmp, smartfiledefrag13.exe, 00000003.00000002.4021764200.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-9UG3I.tmp.2.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
        Source: smartfiledefrag13.exe, 00000003.00000003.2182652428.000000000082A000.00000004.00000020.00020000.00000000.sdmp, smartfiledefrag13.exe, 00000003.00000002.4021764200.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-9UG3I.tmp.2.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
        Source: smartfiledefrag13.exe, smartfiledefrag13.exe, 00000003.00000003.2182652428.000000000082A000.00000004.00000020.00020000.00000000.sdmp, smartfiledefrag13.exe, 00000003.00000002.4021764200.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.3.dr, is-9UG3I.tmp.2.drBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
        Source: tKBxw8eOIV.exeVirustotal: Detection: 19%
        Source: tKBxw8eOIV.exeString found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
        Source: tKBxw8eOIV.exeString found in binary or memory: /LOADINF="filename"
        Source: C:\Users\user\Desktop\tKBxw8eOIV.exeFile read: C:\Users\user\Desktop\tKBxw8eOIV.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\tKBxw8eOIV.exe "C:\Users\user\Desktop\tKBxw8eOIV.exe"
        Source: C:\Users\user\Desktop\tKBxw8eOIV.exeProcess created: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmp "C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmp" /SL5="$20438,3471488,56832,C:\Users\user\Desktop\tKBxw8eOIV.exe"
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpProcess created: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exe "C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exe" -i
        Source: C:\Users\user\Desktop\tKBxw8eOIV.exeProcess created: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmp "C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmp" /SL5="$20438,3471488,56832,C:\Users\user\Desktop\tKBxw8eOIV.exe" Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpProcess created: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exe "C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exe" -iJump to behavior
        Source: C:\Users\user\Desktop\tKBxw8eOIV.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\tKBxw8eOIV.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpSection loaded: shfolder.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpSection loaded: rstrtmgr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpSection loaded: ncrypt.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpSection loaded: ntasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpSection loaded: msacm32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpSection loaded: winmmbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpSection loaded: riched20.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpSection loaded: usp10.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpSection loaded: msls31.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpSection loaded: explorerframe.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpSection loaded: sfc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpSection loaded: sfc_os.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeSection loaded: sqlite3.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpWindow found: window name: TMainFormJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Smart File Defrag_is1Jump to behavior
        Source: tKBxw8eOIV.exeStatic file information: File size 3722172 > 1048576
        Source: tKBxw8eOIV.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: Binary string: msvcp100.i386.pdb source: is-AQM23.tmp.2.dr
        Source: Binary string: msvcr100.i386.pdb source: is-5P6NV.tmp.2.dr

        Data Obfuscation

        barindex
        Detected unpacking (changes PE section rights)
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeUnpacked PE file: 3.2.smartfiledefrag13.exe.400000.0.unpack .text:EW;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeUnpacked PE file: 3.2.smartfiledefrag13.exe.400000.0.unpack
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_00450334 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_00450334
        Source: is-9UG3I.tmp.2.drStatic PE information: section name: /4
        Source: is-9UG3I.tmp.2.drStatic PE information: section name: /19
        Source: is-9UG3I.tmp.2.drStatic PE information: section name: /35
        Source: is-9UG3I.tmp.2.drStatic PE information: section name: /51
        Source: is-9UG3I.tmp.2.drStatic PE information: section name: /63
        Source: is-9UG3I.tmp.2.drStatic PE information: section name: /77
        Source: is-9UG3I.tmp.2.drStatic PE information: section name: /89
        Source: is-9UG3I.tmp.2.drStatic PE information: section name: /102
        Source: is-9UG3I.tmp.2.drStatic PE information: section name: /113
        Source: is-9UG3I.tmp.2.drStatic PE information: section name: /124
        Source: sqlite3.dll.3.drStatic PE information: section name: /4
        Source: sqlite3.dll.3.drStatic PE information: section name: /19
        Source: sqlite3.dll.3.drStatic PE information: section name: /35
        Source: sqlite3.dll.3.drStatic PE information: section name: /51
        Source: sqlite3.dll.3.drStatic PE information: section name: /63
        Source: sqlite3.dll.3.drStatic PE information: section name: /77
        Source: sqlite3.dll.3.drStatic PE information: section name: /89
        Source: sqlite3.dll.3.drStatic PE information: section name: /102
        Source: sqlite3.dll.3.drStatic PE information: section name: /113
        Source: sqlite3.dll.3.drStatic PE information: section name: /124
        Source: C:\Users\user\Desktop\tKBxw8eOIV.exeCode function: 0_2_004065C8 push 00406605h; ret 0_2_004065FD
        Source: C:\Users\user\Desktop\tKBxw8eOIV.exeCode function: 0_2_004040B5 push eax; ret 0_2_004040F1
        Source: C:\Users\user\Desktop\tKBxw8eOIV.exeCode function: 0_2_00408104 push ecx; mov dword ptr [esp], eax0_2_00408109
        Source: C:\Users\user\Desktop\tKBxw8eOIV.exeCode function: 0_2_00404185 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\tKBxw8eOIV.exeCode function: 0_2_00404206 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\tKBxw8eOIV.exeCode function: 0_2_0040C218 push eax; ret 0_2_0040C219
        Source: C:\Users\user\Desktop\tKBxw8eOIV.exeCode function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\tKBxw8eOIV.exeCode function: 0_2_00404283 push 00404391h; ret 0_2_00404389
        Source: C:\Users\user\Desktop\tKBxw8eOIV.exeCode function: 0_2_00408F38 push 00408F6Bh; ret 0_2_00408F63
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_004849F4 push 00484B02h; ret 2_2_00484AFA
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_0040995C push 00409999h; ret 2_2_00409991
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_00458060 push 00458098h; ret 2_2_00458090
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_004860E4 push ecx; mov dword ptr [esp], ecx2_2_004860E9
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_004062C4 push ecx; mov dword ptr [esp], eax2_2_004062C5
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_004783C8 push ecx; mov dword ptr [esp], edx2_2_004783C9
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_004104F0 push ecx; mov dword ptr [esp], edx2_2_004104F5
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_00412938 push 0041299Bh; ret 2_2_00412993
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_0049AD44 pushad ; retf 2_2_0049AD53
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_0040CE48 push ecx; mov dword ptr [esp], edx2_2_0040CE4A
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_00459378 push 004593BCh; ret 2_2_004593B4
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_0040F3A8 push ecx; mov dword ptr [esp], edx2_2_0040F3AA
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_0040546D push eax; ret 2_2_004054A9
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_004434B4 push ecx; mov dword ptr [esp], ecx2_2_004434B8
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_0040553D push 00405749h; ret 2_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_004055BE push 00405749h; ret 2_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_0040563B push 00405749h; ret 2_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_004056A0 push 00405749h; ret 2_2_00405741
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_0045186C push 0045189Fh; ret 2_2_00451897
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_00451A30 push ecx; mov dword ptr [esp], eax2_2_00451A35
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_00495BE4 push ecx; mov dword ptr [esp], ecx2_2_00495BE9
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_00419C38 push ecx; mov dword ptr [esp], ecx2_2_00419C3D
        Source: is-5P6NV.tmp.2.drStatic PE information: section name: .text entropy: 6.90903234258047

        Persistence and Installation Behavior

        barindex
        Contains functionality to infect the boot sector
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive03_2_023AE8B2
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpFile created: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\is-LCDEV.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpFile created: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\is-EORFE.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpFile created: C:\Users\user\AppData\Local\Temp\is-9OECC.tmp\_isetup\_shfoldr.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpFile created: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\is-GR8PB.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpFile created: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\libEGL.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpFile created: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\msvcr100.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpFile created: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\is-9UKKM.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpFile created: C:\Users\user\AppData\Local\Temp\is-9OECC.tmp\_isetup\_setup64.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpFile created: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpFile created: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\Qt5PrintSupport.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeFile created: C:\ProgramData\SmartFileDefrag\SmartFileDefrag.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpFile created: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\uninstall\unins000.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpFile created: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\libGLESv2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpFile created: C:\Users\user\AppData\Local\Temp\is-9OECC.tmp\_isetup\_iscrypt.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpFile created: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\Qt5Concurrent.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpFile created: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\uninstall\is-5482O.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpFile created: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\sqlite3.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpFile created: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\is-9UG3I.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpFile created: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\is-RNJ96.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpFile created: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\is-AQM23.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpFile created: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\msvcp100.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpFile created: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\is-2QVUK.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpFile created: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\icuin51.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpFile created: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\is-5P6NV.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpFile created: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\icuuc51.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeFile created: C:\ProgramData\SmartFileDefrag\sqlite3.dllJump to dropped file
        Source: C:\Users\user\Desktop\tKBxw8eOIV.exeFile created: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeFile created: C:\ProgramData\SmartFileDefrag\SmartFileDefrag.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeFile created: C:\ProgramData\SmartFileDefrag\sqlite3.dllJump to dropped file

        Boot Survival

        barindex
        Contains functionality to infect the boot sector
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive03_2_023AE8B2
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_0040D94D StartServiceCtrlDispatcherA,3_2_0040D94D
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,2_2_00423C1C
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,2_2_00423C1C
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_004241EC IsIconic,SetActiveWindow,SetFocus,2_2_004241EC
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_004241A4 IsIconic,SetActiveWindow,2_2_004241A4
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_00418394 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,2_2_00418394
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_004843A8 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,2_2_004843A8
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_0042286C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,2_2_0042286C
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_0042F2F0 IsIconic,GetWindowLongA,GetWindowLongA,GetActiveWindow,MessageBoxA,SetActiveWindow,GetActiveWindow,MessageBoxA,SetActiveWindow,2_2_0042F2F0
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_004175A8 IsIconic,GetCapture,2_2_004175A8
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_00417CDE IsIconic,SetWindowPos,2_2_00417CDE
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_00417CE0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,2_2_00417CE0
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_0041F128 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,2_2_0041F128
        Source: C:\Users\user\Desktop\tKBxw8eOIV.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,3_2_023AE9B6
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\is-LCDEV.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\is-9UG3I.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\is-EORFE.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\is-RNJ96.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\is-AQM23.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-9OECC.tmp\_isetup\_shfoldr.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\msvcr100.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\is-GR8PB.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\libEGL.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\msvcp100.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\is-9UKKM.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-9OECC.tmp\_isetup\_setup64.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\Qt5PrintSupport.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\is-2QVUK.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\uninstall\unins000.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\libGLESv2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-9OECC.tmp\_isetup\_iscrypt.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\Qt5Concurrent.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\icuin51.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\is-5P6NV.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\icuuc51.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\uninstall\is-5482O.tmpJump to dropped file
        Source: C:\Users\user\Desktop\tKBxw8eOIV.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-5966
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeAPI coverage: 3.1 %
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exe TID: 1396Thread sleep count: 79 > 30Jump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exe TID: 1396Thread sleep time: -158000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exe TID: 5092Thread sleep time: -60000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exe TID: 5092Thread sleep time: -60000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeFile opened: PhysicalDrive0Jump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeLast function: Thread delayed
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeLast function: Thread delayed
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_00452AD4 FindFirstFileA,GetLastError,2_2_00452AD4
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_00475798 FindFirstFileA,FindNextFileA,FindClose,2_2_00475798
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_0046417C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,2_2_0046417C
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_004645F8 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,2_2_004645F8
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_00462BF0 FindFirstFileA,FindNextFileA,FindClose,2_2_00462BF0
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_00498FDC FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,2_2_00498FDC
        Source: C:\Users\user\Desktop\tKBxw8eOIV.exeCode function: 0_2_00409B78 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,0_2_00409B78
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeThread delayed: delay time: 60000Jump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeThread delayed: delay time: 60000Jump to behavior
        Source: smartfiledefrag13.exe, 00000003.00000002.4021360379.0000000003320000.00000004.00000020.00020000.00000000.sdmp, smartfiledefrag13.exe, 00000003.00000002.4019290046.0000000000818000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: is-8F7LH.tmp.2.drBinary or memory string: vmCi[j
        Source: C:\Users\user\Desktop\tKBxw8eOIV.exeAPI call chain: ExitProcess graph end nodegraph_0-6763
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeAPI call chain: ExitProcess graph end nodegraph_3-61907
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_00401E47 LdrInitializeThunk,3_2_00401E47
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_023B3A08 _memset,IsDebuggerPresent,3_2_023B3A08
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_023BE6BE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,LdrInitializeThunk,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,3_2_023BE6BE
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_00450334 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_00450334
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_023A5E59 RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_memset,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,LdrInitializeThunk,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,_memset,_memset,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,_memset,_memset,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,3_2_023A5E59
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_023B80E8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_023B80E8
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_00478DC4 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,2_2_00478DC4
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_0042EE28 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,2_2_0042EE28
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_0042E0AC AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,2_2_0042E0AC
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_023AE86A cpuid 3_2_023AE86A
        Source: C:\Users\user\Desktop\tKBxw8eOIV.exeCode function: GetLocaleInfoA,0_2_0040520C
        Source: C:\Users\user\Desktop\tKBxw8eOIV.exeCode function: GetLocaleInfoA,0_2_00405258
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: GetLocaleInfoA,2_2_00408578
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: GetLocaleInfoA,2_2_004085C4
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_00458670 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,2_2_00458670
        Source: C:\Users\user\Desktop\tKBxw8eOIV.exeCode function: 0_2_004026C4 GetSystemTime,0_2_004026C4
        Source: C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmpCode function: 2_2_00455644 GetUserNameA,2_2_00455644
        Source: C:\Users\user\Desktop\tKBxw8eOIV.exeCode function: 0_2_00405CF4 GetVersionExA,0_2_00405CF4

        Stealing of Sensitive Information

        barindex
        Yara detected Socks5Systemz
        Source: Yara matchFile source: 00000003.00000002.4020546247.00000000023A1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.4020890820.000000000268B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: smartfiledefrag13.exe PID: 6212, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected Socks5Systemz
        Source: Yara matchFile source: 00000003.00000002.4020546247.00000000023A1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.4020890820.000000000268B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: smartfiledefrag13.exe PID: 6212, type: MEMORYSTR
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_609660FA sqlite3_finalize,sqlite3_free,sqlite3_value_numeric_type,sqlite3_value_numeric_type,sqlite3_value_text,sqlite3_value_int,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_mprintf,sqlite3_malloc,sqlite3_free,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,3_2_609660FA
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6090C1D6 sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave,3_2_6090C1D6
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_60963143 sqlite3_stricmp,sqlite3_bind_int64,sqlite3_mutex_leave,3_2_60963143
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6096A2BD sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,3_2_6096A2BD
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6096923E sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_malloc,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_realloc,sqlite3_realloc,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,3_2_6096923E
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6096A38C sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,3_2_6096A38C
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6096748C sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_reset,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_bind_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_reset,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_realloc,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,3_2_6096748C
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_609254B1 sqlite3_bind_zeroblob,sqlite3_mutex_leave,3_2_609254B1
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6094B407 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,3_2_6094B407
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6090F435 sqlite3_bind_parameter_index,3_2_6090F435
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_609255D4 sqlite3_mutex_leave,sqlite3_bind_text16,3_2_609255D4
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_609255FF sqlite3_bind_text,3_2_609255FF
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6096A5EE sqlite3_value_text,sqlite3_value_bytes,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_malloc,LdrInitializeThunk,sqlite3_column_int,sqlite3_column_int64,sqlite3_column_text,sqlite3_column_bytes,sqlite3_finalize,sqlite3_step,sqlite3_free,sqlite3_finalize,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_column_int64,sqlite3_column_int,sqlite3_column_text,sqlite3_column_bytes,sqlite3_step,sqlite3_finalize,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_malloc,sqlite3_bind_null,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_value_text,sqlite3_value_bytes,sqlite3_free,3_2_6096A5EE
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6094B54C sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,memmove,3_2_6094B54C
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_60925686 sqlite3_bind_int64,sqlite3_mutex_leave,3_2_60925686
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6094A6C5 sqlite3_bind_int64,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_malloc,sqlite3_reset,sqlite3_free,3_2_6094A6C5
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_609256E5 sqlite3_bind_int,sqlite3_bind_int64,3_2_609256E5
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6094B6ED sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,3_2_6094B6ED
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6092562A sqlite3_bind_blob,3_2_6092562A
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_60925655 sqlite3_bind_null,sqlite3_mutex_leave,3_2_60925655
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6094C64A sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,3_2_6094C64A
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_609687A7 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_column_int64,sqlite3_reset,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,3_2_609687A7
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6095F7F7 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,3_2_6095F7F7
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6092570B sqlite3_bind_double,sqlite3_mutex_leave,3_2_6092570B
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6095F772 sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,3_2_6095F772
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_60925778 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob,3_2_60925778
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6090577D sqlite3_bind_parameter_name,3_2_6090577D
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6094B764 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,3_2_6094B764
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6090576B sqlite3_bind_parameter_count,3_2_6090576B
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6094A894 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,3_2_6094A894
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6095F883 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,3_2_6095F883
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6094C8C2 sqlite3_value_int,sqlite3_value_int,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_null,sqlite3_bind_null,sqlite3_step,sqlite3_reset,3_2_6094C8C2
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6096281E sqlite3_mprintf,sqlite3_vtab_config,sqlite3_malloc,sqlite3_mprintf,sqlite3_mprintf,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_exec,sqlite3_free,sqlite3_prepare_v2,sqlite3_bind_text,sqlite3_step,sqlite3_column_int64,sqlite3_finalize,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_errmsg,sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_free,sqlite3_declare_vtab,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,3_2_6096281E
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6096583A memcmp,sqlite3_realloc,qsort,sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_step,sqlite3_reset,3_2_6096583A
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6095F9AD sqlite3_bind_int,sqlite3_step,sqlite3_column_type,sqlite3_reset,3_2_6095F9AD
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6094A92B sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,3_2_6094A92B
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6090EAE5 sqlite3_transfer_bindings,3_2_6090EAE5
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6095FB98 sqlite3_value_int,sqlite3_bind_int,sqlite3_bind_value,sqlite3_step,sqlite3_reset,3_2_6095FB98
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6095ECA6 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,3_2_6095ECA6
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6095FCCE sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,3_2_6095FCCE
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6095FDAE sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,3_2_6095FDAE
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_60966DF1 sqlite3_value_text,sqlite3_mprintf,sqlite3_free,strcmp,sqlite3_free,sqlite3_malloc,sqlite3_bind_int64,sqlite3_step,sqlite3_column_type,sqlite3_reset,sqlite3_column_blob,sqlite3_reset,sqlite3_malloc,sqlite3_free,sqlite3_reset,sqlite3_result_error_code,sqlite3_result_blob,3_2_60966DF1
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_60969D75 sqlite3_bind_int,sqlite3_step,sqlite3_column_int,sqlite3_reset,3_2_60969D75
        Source: C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exeCode function: 3_2_6095FFB2 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,3_2_6095FFB2

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
        Native API        		1
        DLL Side-Loading        		1
        Exploitation for Privilege Escalation        		1
        Deobfuscate/Decode Files or Information        		OS Credential Dumping1
        System Time Discovery        		Remote Services1
        Archive Collected Data        		2
        Ingress Tool Transfer        		Exfiltration Over Other Network Medium1
        System Shutdown/Reboot
        CredentialsDomainsDefault Accounts2
        Command and Scripting Interpreter        		5
        Windows Service        		1
        DLL Side-Loading        		3
        Obfuscated Files or Information        		LSASS Memory1
        Account Discovery        		Remote Desktop ProtocolData from Removable Media21
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts2
        Service Execution        		1
        Bootkit        		1
        Access Token Manipulation        		21
        Software Packing        		Security Account Manager2
        File and Directory Discovery        		SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook5
        Windows Service        		1
        DLL Side-Loading        		NTDS35
        System Information Discovery        		Distributed Component Object ModelInput Capture12
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
        Process Injection        		1
        Masquerading        		LSA Secrets41
        Security Software Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
        Virtualization/Sandbox Evasion        		Cached Domain Credentials1
        Process Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        Access Token Manipulation        		DCSync21
        Virtualization/Sandbox Evasion        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
        Process Injection        		Proc Filesystem1
        Application Window Discovery        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
        Bootkit        		/etc/passwd and /etc/shadow3
        System Owner/User Discovery        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
        System Network Configuration Discovery        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        tKBxw8eOIV.exe19%VirustotalBrowse
        tKBxw8eOIV.exe8%ReversingLabs

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\ProgramData\SmartFileDefrag\sqlite3.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\Qt5Concurrent.dll (copy)4%ReversingLabs
        C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\Qt5PrintSupport.dll (copy)4%ReversingLabs
        C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\icuin51.dll (copy)2%ReversingLabs
        C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\icuuc51.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\is-2QVUK.tmp4%ReversingLabs
        C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\is-5P6NV.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\is-9UG3I.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\is-9UKKM.tmp4%ReversingLabs
        C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\is-AQM23.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\is-EORFE.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\is-GR8PB.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\is-LCDEV.tmp2%ReversingLabs
        C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\is-RNJ96.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\libEGL.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\libGLESv2.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\msvcp100.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\msvcr100.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\sqlite3.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\uninstall\is-5482O.tmp3%ReversingLabs
        C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\uninstall\unins000.exe (copy)3%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmp3%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-9OECC.tmp\_isetup\_iscrypt.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-9OECC.tmp\_isetup\_setup64.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-9OECC.tmp\_isetup\_shfoldr.dll0%ReversingLabs

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        https://176.113.115.96/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f926d19fe6595cd66946851e91fcd85241ab258d81329326be8e343a8f51f8a95b5ca212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d4348dd4da955d4ccd0%Avira URL Cloudsafe
        http://www.countnow.ru0%Avira URL Cloudsafe
        https://176.113.115.96/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f926d19fe6595cd66946851e91fcd852410%Avira URL Cloudsafe
        https://176.113.115.96/Z0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        No contacted domains info

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://176.113.115.96/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f926d19fe6595cd66946851e91fcd85241ab258d81329326be8e343a8f51f8a95b5ca212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d4348dd4da955d4ccdfalse
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.innosetup.com/tKBxw8eOIV.tmp, tKBxw8eOIV.tmp, 00000002.00000002.4018943988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, tKBxw8eOIV.tmp.0.dr, is-5482O.tmp.2.drfalse
          		high
          http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlinetKBxw8eOIV.exefalse
            		high
            https://176.113.115.96/Zsmartfiledefrag13.exe, 00000003.00000002.4019290046.00000000008F2000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.remobjects.com/psUtKBxw8eOIV.exe, 00000000.00000003.2161032856.0000000002128000.00000004.00001000.00020000.00000000.sdmp, tKBxw8eOIV.exe, 00000000.00000003.2160780335.0000000002350000.00000004.00001000.00020000.00000000.sdmp, tKBxw8eOIV.tmp, 00000002.00000002.4018943988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, tKBxw8eOIV.tmp.0.dr, is-5482O.tmp.2.drfalse
              		high
              http://www.remobjects.com/pstKBxw8eOIV.exe, 00000000.00000003.2161032856.0000000002128000.00000004.00001000.00020000.00000000.sdmp, tKBxw8eOIV.exe, 00000000.00000003.2160780335.0000000002350000.00000004.00001000.00020000.00000000.sdmp, tKBxw8eOIV.tmp, tKBxw8eOIV.tmp, 00000002.00000002.4018943988.0000000000401000.00000020.00000001.01000000.00000004.sdmp, tKBxw8eOIV.tmp.0.dr, is-5482O.tmp.2.drfalse
                		high
                https://www.easycutstudio.com/support.htmltKBxw8eOIV.exe, 00000000.00000003.2160476522.0000000002121000.00000004.00001000.00020000.00000000.sdmp, tKBxw8eOIV.exe, 00000000.00000002.4019373102.0000000002121000.00000004.00001000.00020000.00000000.sdmp, tKBxw8eOIV.exe, 00000000.00000003.2160402309.0000000002350000.00000004.00001000.00020000.00000000.sdmp, tKBxw8eOIV.tmp, 00000002.00000003.2162931488.0000000002128000.00000004.00001000.00020000.00000000.sdmp, tKBxw8eOIV.tmp, 00000002.00000002.4019719142.0000000002128000.00000004.00001000.00020000.00000000.sdmp, tKBxw8eOIV.tmp, 00000002.00000003.2162852704.00000000030F0000.00000004.00001000.00020000.00000000.sdmp, tKBxw8eOIV.tmp, 00000002.00000002.4019287541.00000000006C4000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://176.113.115.96/smartfiledefrag13.exe, 00000003.00000002.4019290046.00000000008F2000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://icu-project.orgis-GR8PB.tmp.2.dr, is-LCDEV.tmp.2.drfalse
                      		high
                      http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUtKBxw8eOIV.exefalse
                        		high
                        https://176.113.115.96/ai/?key=8f3f2b3ae14615677411efa3231678fbb38f926d19fe6595cd66946851e91fcd85241smartfiledefrag13.exe, 00000003.00000002.4019290046.0000000000905000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.countnow.rutKBxw8eOIV.tmp, 00000002.00000002.4020195154.0000000005C8A000.00000004.00001000.00020000.00000000.sdmp, smartfiledefrag13.exe, 00000003.00000003.2181736491.0000000002648000.00000004.00000020.00020000.00000000.sdmp, smartfiledefrag13.exe, 00000003.00000000.2181054207.000000000065C000.00000002.00000001.01000000.00000009.sdmp, smartfiledefrag13.exe.2.dr, SmartFileDefrag.exe.3.dr, is-8F7LH.tmp.2.drfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        176.113.115.96
                        		unknownRussian Federation
                        		49505SELECTELRUfalse

                        General Information

                        Joe Sandbox version:42.0.0 Malachite
                        Analysis ID:1628986
                        Start date and time:2025-03-04 10:35:28 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 7m 17s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Run name:Run with higher sleep bypass
                        Number of analysed new started processes analysed:7
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:tKBxw8eOIV.exe
                        renamed because original name is a hash value
                        Original Sample Name:51f4cfbe1c4f38beb7d4185086720317.exe
                        Detection:MAL
                        Classification:mal84.troj.evad.winEXE@5/32@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 93%
                        • Number of executed functions: 187
                        • Number of non-executed functions: 314
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                        • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                        • Excluded IPs from analysis (whitelisted): 13.107.246.60, 52.149.20.212
                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Report size exceeded maximum capacity and may have missing disassembly code.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        176.113.115.96soft.exeGet hashmaliciousGCleaner, LummaC Stealer, Socks5SystemzBrowse
                          9uWGaRcOv8.exeGet hashmaliciousSocks5SystemzBrowse
                            9uWGaRcOv8.exeGet hashmaliciousSocks5SystemzBrowse
                              file.exeGet hashmaliciousSocks5SystemzBrowse
                                file.exeGet hashmaliciousSocks5SystemzBrowse
                                  silk.exeGet hashmaliciousSocks5SystemzBrowse
                                    silk.exeGet hashmaliciousSocks5SystemzBrowse
                                      random.exeGet hashmaliciousGCleaner, LummaC Stealer, Socks5SystemzBrowse
                                        mix.exeGet hashmaliciousSocks5SystemzBrowse

                                          Domains

                                          No context

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          SELECTELRUrhsvjqRoEV.exeGet hashmaliciousAmadey, LummaC Stealer, PureLog Stealer, XWormBrowse
                                          • 176.113.115.6
                                          S2W2ftXM2b.exeGet hashmaliciousAmadey, LummaC Stealer, PureLog Stealer, XWormBrowse
                                          • 176.113.115.6
                                          pGOrhjLXy3.exeGet hashmaliciousAmadey, LummaC Stealer, StealcBrowse
                                          • 176.113.115.6
                                          cbr.x86.elfGet hashmaliciousMiraiBrowse
                                          • 45.146.169.54
                                          random.exeGet hashmaliciousAmadey, Credential Flusher, GCleaner, LummaC Stealer, StealcBrowse
                                          • 176.113.115.6
                                          random.exeGet hashmaliciousAmadey, LummaC StealerBrowse
                                          • 176.113.115.6
                                          soft.exeGet hashmaliciousGCleaner, LummaC Stealer, Socks5SystemzBrowse
                                          • 176.113.115.96
                                          9uWGaRcOv8.exeGet hashmaliciousSocks5SystemzBrowse
                                          • 176.113.115.96
                                          9uWGaRcOv8.exeGet hashmaliciousSocks5SystemzBrowse
                                          • 176.113.115.96

                                          JA3 Fingerprints

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          51c64c77e60f3980eea90869b68c58a8xn3nGSFdRn.exeGet hashmaliciousVidarBrowse
                                          • 176.113.115.96
                                          soft.exeGet hashmaliciousGCleaner, LummaC Stealer, Socks5SystemzBrowse
                                          • 176.113.115.96
                                          9uWGaRcOv8.exeGet hashmaliciousSocks5SystemzBrowse
                                          • 176.113.115.96
                                          9uWGaRcOv8.exeGet hashmaliciousSocks5SystemzBrowse
                                          • 176.113.115.96
                                          file.exeGet hashmaliciousSocks5SystemzBrowse
                                          • 176.113.115.96
                                          file.exeGet hashmaliciousSocks5SystemzBrowse
                                          • 176.113.115.96
                                          yMwA2Hcj3Q.dllGet hashmaliciousCobaltStrike, MetasploitBrowse
                                          • 176.113.115.96
                                          server.exeGet hashmaliciousUrsnifBrowse
                                          • 176.113.115.96
                                          silk.exeGet hashmaliciousSocks5SystemzBrowse
                                          • 176.113.115.96

                                          Dropped Files

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          C:\ProgramData\SmartFileDefrag\sqlite3.dllsoft.exeGet hashmaliciousGCleaner, LummaC Stealer, Socks5SystemzBrowse
                                            9uWGaRcOv8.exeGet hashmaliciousSocks5SystemzBrowse
                                              9uWGaRcOv8.exeGet hashmaliciousSocks5SystemzBrowse
                                                file.exeGet hashmaliciousSocks5SystemzBrowse
                                                  file.exeGet hashmaliciousSocks5SystemzBrowse
                                                    silk.exeGet hashmaliciousSocks5SystemzBrowse
                                                      silk.exeGet hashmaliciousSocks5SystemzBrowse
                                                        1w5RpHuliE.exeGet hashmaliciousAmadey, GCleaner, LummaC Stealer, PureLog Stealer, RedLine, SmokeLoader, VidarBrowse
                                                          random.exeGet hashmaliciousGCleaner, LummaC Stealer, Socks5SystemzBrowse

                                                            Created / dropped Files

                                                            C:\ProgramData\SmartFileDefrag\SmartFileDefrag.exe

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):3036672
                                                            Entropy (8bit):6.676551488534372
                                                            Encrypted:false
                                                            SSDEEP:49152:Gewe1eae/lefseluTQep6eMiXMiyq9fMmkmBtla/9WdyplLnDesOJvA:yecSoii86fMmkmBra/9WdyplaJ
                                                            MD5:483573178F49D6667013866FB10AB1CB
                                                            SHA1:927E913247E5458925813BC6747AE9882BC03FD6
                                                            SHA-256:4E43B32BCA5224D444D61A366E6949A33DF1526C2AD209A1EC49221D9972A323
                                                            SHA-512:0404AC48831B71A1EB78EEE6BB7F4C39FF6543E0809A511198151152283A4D39574328345E6136A19E4DAE46D6B0AAB9175A6611769BD3E0E1F97E2453BEEA08
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L....P.g..................#..........?#.......#...@........................................................................D.#......P$.0[............................................................................#.p............................text...*.#.......#.................`....rdata...?....#..@....#.............@..@.data....c....#..0....#.............@....rsrc....\...P$..\....#.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\ProgramData\SmartFileDefrag\sqlite3.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exe
                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):645592
                                                            Entropy (8bit):6.50414583238337
                                                            Encrypted:false
                                                            SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                            MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                            SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                            SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                            SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Joe Sandbox View:
                                                            • Filename: soft.exe, Detection: malicious, Browse
                                                            • Filename: 9uWGaRcOv8.exe, Detection: malicious, Browse
                                                            • Filename: 9uWGaRcOv8.exe, Detection: malicious, Browse
                                                            • Filename: file.exe, Detection: malicious, Browse
                                                            • Filename: file.exe, Detection: malicious, Browse
                                                            • Filename: silk.exe, Detection: malicious, Browse
                                                            • Filename: silk.exe, Detection: malicious, Browse
                                                            • Filename: 1w5RpHuliE.exe, Detection: malicious, Browse
                                                            • Filename: random.exe, Detection: malicious, Browse
                                                            Reputation:moderate, very likely benign file
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..

                                                            C:\ProgramData\gr33it53.dat

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exe
                                                            File Type:ISO-8859 text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):8
                                                            Entropy (8bit):2.0
                                                            Encrypted:false
                                                            SSDEEP:3:q+X:q+X
                                                            MD5:146E8F93B0E4A1ED967CBFC646C0A1C7
                                                            SHA1:B3419F9EA2F18E7BE0059A0E78FAE2EEC96311D6
                                                            SHA-256:A9932AF22E9B55CDE168F51CFC3170FC141579AC65EBE1241D8AD64601A68CCE
                                                            SHA-512:5FB3DE1770C1336F994210775571C50FB0D6CE2602ACAF77F1E4ACA6D66013BFA42A3D58D11ED4922E1CD7708B3B6EC06D5C9E278B334D310EAFD3E0928F9E2F
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:...g....

                                                            C:\ProgramData\gr33rc53.dat

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):4
                                                            Entropy (8bit):0.8112781244591328
                                                            Encrypted:false
                                                            SSDEEP:3:M:M
                                                            MD5:4352D88A78AA39750BF70CD6F27BCAA5
                                                            SHA1:3C585604E87F855973731FEA83E21FAB9392D2FC
                                                            SHA-256:67ABDD721024F0FF4E0B3F4C2FC13BC5BAD42D0B7851D456D88D203D15AAA450
                                                            SHA-512:EDF92E3D4F80FC47D948EA2F17B9BFC742D34E2E785A7A4927F3E261E8BD9D400B648BFF2123B8396D24FB28F5869979E08D58B4B5D156E640344A2C0A54675D
                                                            Malicious:false
                                                            Reputation:moderate, very likely benign file
                                                            Preview:....

                                                            C:\ProgramData\gr33resa.dat

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):128
                                                            Entropy (8bit):2.954183719820564
                                                            Encrypted:false
                                                            SSDEEP:3:Z8VUrGqdhHzXDBdUBWetxt:CVU6q3HzX3UFx
                                                            MD5:073FE28824EFEF0F988C91430211DB78
                                                            SHA1:4B8FDD8229EA0EF42FE7770D5C027419F552120A
                                                            SHA-256:37007FCAA22D8287277F6D9C6720F0E946E1F7C419145F1B7D719C0F751EF0E0
                                                            SHA-512:0D128B31D1F2EDE809AD33F11C80A266B6B8E097B80BE135A5EDE7E6D7883A7E51D437E147D803F4887B07947B9FD461D05DF750C9382996FAE7F0BC2168E49E
                                                            Malicious:false
                                                            Preview:1eb2b84e0110dff756582a45e74bb62f518d3799011c89eb7c719048e83fac56................................................................

                                                            C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\Qt5Concurrent.dll (copy)

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):18432
                                                            Entropy (8bit):5.996483336647155
                                                            Encrypted:false
                                                            SSDEEP:384:lLKSmUAPRD6PA/GKge44+4yif7DOnFPV5kzaOCSSZ:IVH/D4z4yG7DOnFdKaO6Z
                                                            MD5:C5735F75847667E33A6B2D5E50D19C6F
                                                            SHA1:D2C5952138FA5A246EC5900C9E680E7AEAF099AF
                                                            SHA-256:32B0ACDF551507B4A8B9BD0467BEFDC2539C776E3F48221F0B577499F6EAE616
                                                            SHA-512:DA961258A682C732F0A480EE7220D74B4511FA5313FB3BF0ACAF07AA42FA7410F3EE1A83C221C995854C2919286676F346A45CD278E1D1929E0164155F6D98F5
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 4%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................^....v.U......S......g......Q..............f......V......W......P....Rich...........................PE..L......Q...........!..... ...$.......(.......0.....f.................................$....@..........................?......L6..P....`..,....................p......................................x1..@............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........P.......<..............@....rsrc...,....`.......>..............@..@.reloc.......p.......D..............@..B........................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\Qt5PrintSupport.dll (copy)

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):226304
                                                            Entropy (8bit):6.833378525054972
                                                            Encrypted:false
                                                            SSDEEP:6144:dN8sMIcF8WExUx855gVPXQj5zxXhvRrxVEYnRWmgZvgiLMOnf:dNL9e8W4UMiV
                                                            MD5:0E2C47A16BC8ED754E810FEAEFF64E0D
                                                            SHA1:7C23F3C5DD8E613DB1B426FAE98D0FDC0226068E
                                                            SHA-256:FF6507A53076A9C33D7AE07CDE0E876E1AD5B81A2DA18EBDC24608E79B4BBF0E
                                                            SHA-512:9A2D9EDF5C3959E0D463161D9DB0C7457741785F7FE4E76097D13D24F6E566D50CCC3DC1BCFF6872AC52577F74CFEB957A03242B5565E333C0679E6D79D5A07B
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 4%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........j...j...j...$*..j....,..j.......j.......j....!..j...j...i.......j....)..j....(..j..../..j..Rich.j..........PE..L......Q...........!.....V..........&^.......p......................................4.....@.............................&S..\P.......`..0....................p...(...................................:..@............p..0............................text...;U.......V.................. ..`.rdata..&....p.......Z..............@..@.data...|....P.......2..............@....rsrc...0....`.......<..............@..@.reloc...0...p...2...B..............@..B........................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\icuin51.dll (copy)

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):1767424
                                                            Entropy (8bit):6.502501235310596
                                                            Encrypted:false
                                                            SSDEEP:24576:7GWPHUAzlcNk0BjXxOKWf8e4VY/+AnattjtpKFJ/t:FPHUGOkIxOKW5OXlKHV
                                                            MD5:A7F201C0B9AC05E950ECC55D4403EC16
                                                            SHA1:20B5B9AEFD27B11BD129AF6BF362D11DFFAFA5E5
                                                            SHA-256:173092C4E256958B100683A6AB2CE0D1C9895EC63F222198F9DE485E61C728CA
                                                            SHA-512:0D3B3A3F2D5C39B7309943591E51587C1DB4BFC70EA5B0FD4A9016AACF0CA9DFA69040E6D74E1B9424FD8E41B3B3E22AB5D7C5352AF6C216E491EDEC78C612D7
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 2%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J:...[...[...[...#...[.......[..a-...[..a-...[...[..!X..a-6..[..a-7..[..a-...[..a-...[..a-...[..Rich.[..................PE..L....VuQ...........!.....4..........6L.......P.....J.........................P............@.............................#...$'..d.... ..X....................0..<....................................4..@............P...............................text....2.......4.................. ..`.rdata...s...P...t...8..............@..@.data....K.......*..................@....rsrc...X.... ......................@..@.reloc..B....0......................@..B................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\icuuc51.dll (copy)

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):1295872
                                                            Entropy (8bit):6.469213828080914
                                                            Encrypted:false
                                                            SSDEEP:24576:DCYW9S/7mMcs50Mf+Av1gQp3Y6ZBGB6riFv9Kk2HPmOh:DCw/8s0IaQp3Y6ZBj+Kf
                                                            MD5:DAE4100039A943128C34BA3E05F6CD02
                                                            SHA1:22B25C997C8204CA104CB72D98BC7FE57EA02B48
                                                            SHA-256:2357806CA24C9D3152D54D34270810DA9D9CA943462EBF7291AE06A10E5CB8BA
                                                            SHA-512:5155B812AFECDDFCC904AD403D04DD060D284A2E9A9A0B26CCC96FB593801176BE2BA69FFD2FA2A6F246A84F6DC824F042ADACA7E8C1D3D57AAE3FC62C2C24E1
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......tN6.0/X.0/X.0/X.a..1/X._Y..9/X.9W..4/X._Y..5/X.0/Y.U/X._Y..s/X._Y..L/X._Y..1/X._Y..1/X._Y..1/X.Rich0/X.........PE..L....VuQ...........!.....4..........^........P.....J.........................0............@..........................r.......i..d.......X........................[......................................@............P...............................text....2.......4.................. ..`.rdata..i....P.......8..............@..@.data....;...p.......J..............@....rsrc...X............Z..............@..@.reloc..4d.......f...`..............@..B........................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\is-2QVUK.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):226304
                                                            Entropy (8bit):6.833378525054972
                                                            Encrypted:false
                                                            SSDEEP:6144:dN8sMIcF8WExUx855gVPXQj5zxXhvRrxVEYnRWmgZvgiLMOnf:dNL9e8W4UMiV
                                                            MD5:0E2C47A16BC8ED754E810FEAEFF64E0D
                                                            SHA1:7C23F3C5DD8E613DB1B426FAE98D0FDC0226068E
                                                            SHA-256:FF6507A53076A9C33D7AE07CDE0E876E1AD5B81A2DA18EBDC24608E79B4BBF0E
                                                            SHA-512:9A2D9EDF5C3959E0D463161D9DB0C7457741785F7FE4E76097D13D24F6E566D50CCC3DC1BCFF6872AC52577F74CFEB957A03242B5565E333C0679E6D79D5A07B
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 4%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........j...j...j...$*..j....,..j.......j.......j....!..j...j...i.......j....)..j....(..j..../..j..Rich.j..........PE..L......Q...........!.....V..........&^.......p......................................4.....@.............................&S..\P.......`..0....................p...(...................................:..@............p..0............................text...;U.......V.................. ..`.rdata..&....p.......Z..............@..@.data...|....P.......2..............@....rsrc...0....`.......<..............@..@.reloc...0...p...2...B..............@..B........................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\is-5P6NV.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):773968
                                                            Entropy (8bit):6.901569696995594
                                                            Encrypted:false
                                                            SSDEEP:12288:yMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BV0eAI:dmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV4I
                                                            MD5:BF38660A9125935658CFA3E53FDC7D65
                                                            SHA1:0B51FB415EC89848F339F8989D323BEA722BFD70
                                                            SHA-256:60C06E0FA4449314DA3A0A87C1A9D9577DF99226F943637E06F61188E5862EFA
                                                            SHA-512:25F521FFE25A950D0F1A4DE63B04CB62E2A3B0E72E7405799586913208BF8F8FA52AA34E96A9CC6EE47AFCD41870F3AA0CD8289C53461D1B6E792D19B750C9A1
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L..."._M.........."!.........................0.....x................................u.....@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\is-8F7LH.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmp
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):3036672
                                                            Entropy (8bit):6.676551553887878
                                                            Encrypted:false
                                                            SSDEEP:49152:Rewe1eae/lefseluTQep6eMiXMiyq9fMmkmBtla/9WdyplLnDesOJvA:1ecSoii86fMmkmBra/9WdyplaJ
                                                            MD5:F5D1B5D7DFEBF250F91A607903A121EC
                                                            SHA1:4A7B5B98BE83C51AE6237042F17B92C1E3A44995
                                                            SHA-256:A288996D52C56D005E71B7DAA601715058CBDE6A2DBAB5CB588D40FA0F8529BF
                                                            SHA-512:8AAFEB81F6315BA156F23D86CDFFA655D0BD15E004C90BC94302AD3900912BC067B5B30DC682BA7C875CA1F3D9C2BDA2F3802A4C63642370B52277C70BA090D4
                                                            Malicious:false
                                                            Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L....P.g..................#..........?#.......#...@........................................................................D.#......P$.0[............................................................................#.p............................text...*.#.......#.................`....rdata...?....#..@....#.............@..@.data....c....#..0....#.............@....rsrc....\...P$..\....#.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\is-9UG3I.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmp
                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):645592
                                                            Entropy (8bit):6.50414583238337
                                                            Encrypted:false
                                                            SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                            MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                            SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                            SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                            SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..

                                                            C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\is-9UKKM.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):18432
                                                            Entropy (8bit):5.996483336647155
                                                            Encrypted:false
                                                            SSDEEP:384:lLKSmUAPRD6PA/GKge44+4yif7DOnFPV5kzaOCSSZ:IVH/D4z4yG7DOnFdKaO6Z
                                                            MD5:C5735F75847667E33A6B2D5E50D19C6F
                                                            SHA1:D2C5952138FA5A246EC5900C9E680E7AEAF099AF
                                                            SHA-256:32B0ACDF551507B4A8B9BD0467BEFDC2539C776E3F48221F0B577499F6EAE616
                                                            SHA-512:DA961258A682C732F0A480EE7220D74B4511FA5313FB3BF0ACAF07AA42FA7410F3EE1A83C221C995854C2919286676F346A45CD278E1D1929E0164155F6D98F5
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 4%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................^....v.U......S......g......Q..............f......V......W......P....Rich...........................PE..L......Q...........!..... ...$.......(.......0.....f.................................$....@..........................?......L6..P....`..,....................p......................................x1..@............0...............................text............ .................. ..`.rdata.......0.......$..............@..@.data........P.......<..............@....rsrc...,....`.......>..............@..@.reloc.......p.......D..............@..B........................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\is-AQM23.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):421200
                                                            Entropy (8bit):6.595802017835318
                                                            Encrypted:false
                                                            SSDEEP:12288:zNb8zxr1aWPaHX7dGP57rhUgiW6QR7t5qv3Ooc8UHkC2ejGH:zNb8Fpa6aHX7dGP5Kv3Ooc8UHkC2eKH
                                                            MD5:E3C817F7FE44CC870ECDBCBC3EA36132
                                                            SHA1:2ADA702A0C143A7AE39B7DE16A4B5CC994D2548B
                                                            SHA-256:D769FAFA2B3232DE9FA7153212BA287F68E745257F1C00FAFB511E7A02DE7ADF
                                                            SHA-512:4FCF3FCDD27C97A714E173AA221F53DF6C152636D77DEA49E256A9788F2D3F2C2D7315DD0B4D72ECEFC553082F9149B8580779ABB39891A88907F16EC9E13CBE
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........e..d...d...d.......d.......d...d..Cd..K*...d.......d.......d.......d.......d.......d.......d.......d..Rich.d..........................PE..L...A._M.........."!.................<.............x.................................{....@.................................<...<.... ...............V..P....0..D;..p................................/..@...............p............................text...u........................... ..`.data...$:.......,..................@....rsrc........ ......................@..@.reloc...S...0...T..................@..B........................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\is-EORFE.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):48128
                                                            Entropy (8bit):6.044429679961545
                                                            Encrypted:false
                                                            SSDEEP:768:Ydp3loIiS+gbIdX9h9btywVT+0sdfLKc/IQiInhtTaQotOnKOdHGd3:YH3llRbIdth9JjTvsFec/IYhtuztOnpW
                                                            MD5:EAE56B896A718C3BC87A4253832A5650
                                                            SHA1:4987D30E08490B3C5F356F47C33061E2F7E608C9
                                                            SHA-256:EE1D7D8F396D627FEE7DCF2655FB5ACFE5A1EE2A5DEEDA764EF311E75B94CEA1
                                                            SHA-512:044335B7899189C9685C9FE1C7985EE2A985A77B1C2B59FB81884BFE353DD80973C3918A107D67550C4FA686E1838D15206519015FA58A9EB054BAFA10720551
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........+.w.x.w.x.w.x@9Ox.w.x..Ix.w.x..}x.w.x..Kx.w.x..Dx.w.x.w.x.w.x..|x.w.x..Lx.w.x..Jx.w.xRich.w.x........................PE..L......Q...........!.........2......................................................o....@.....................................x...............................\...................................p...@...............,............................text...6........................... ..`.rdata..H ......."..................@..@.data...............................@....rsrc...............................@..@.reloc..<...........................@..B................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\is-GR8PB.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):1295872
                                                            Entropy (8bit):6.469213828080914
                                                            Encrypted:false
                                                            SSDEEP:24576:DCYW9S/7mMcs50Mf+Av1gQp3Y6ZBGB6riFv9Kk2HPmOh:DCw/8s0IaQp3Y6ZBj+Kf
                                                            MD5:DAE4100039A943128C34BA3E05F6CD02
                                                            SHA1:22B25C997C8204CA104CB72D98BC7FE57EA02B48
                                                            SHA-256:2357806CA24C9D3152D54D34270810DA9D9CA943462EBF7291AE06A10E5CB8BA
                                                            SHA-512:5155B812AFECDDFCC904AD403D04DD060D284A2E9A9A0B26CCC96FB593801176BE2BA69FFD2FA2A6F246A84F6DC824F042ADACA7E8C1D3D57AAE3FC62C2C24E1
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......tN6.0/X.0/X.0/X.a..1/X._Y..9/X.9W..4/X._Y..5/X.0/Y.U/X._Y..s/X._Y..L/X._Y..1/X._Y..1/X._Y..1/X.Rich0/X.........PE..L....VuQ...........!.....4..........^........P.....J.........................0............@..........................r.......i..d.......X........................[......................................@............P...............................text....2.......4.................. ..`.rdata..i....P.......8..............@..@.data....;...p.......J..............@....rsrc...X............Z..............@..@.reloc..4d.......f...`..............@..B........................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\is-LCDEV.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):1767424
                                                            Entropy (8bit):6.502501235310596
                                                            Encrypted:false
                                                            SSDEEP:24576:7GWPHUAzlcNk0BjXxOKWf8e4VY/+AnattjtpKFJ/t:FPHUGOkIxOKW5OXlKHV
                                                            MD5:A7F201C0B9AC05E950ECC55D4403EC16
                                                            SHA1:20B5B9AEFD27B11BD129AF6BF362D11DFFAFA5E5
                                                            SHA-256:173092C4E256958B100683A6AB2CE0D1C9895EC63F222198F9DE485E61C728CA
                                                            SHA-512:0D3B3A3F2D5C39B7309943591E51587C1DB4BFC70EA5B0FD4A9016AACF0CA9DFA69040E6D74E1B9424FD8E41B3B3E22AB5D7C5352AF6C216E491EDEC78C612D7
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 2%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J:...[...[...[...#...[.......[..a-...[..a-...[...[..!X..a-6..[..a-7..[..a-...[..a-...[..a-...[..Rich.[..................PE..L....VuQ...........!.....4..........6L.......P.....J.........................P............@.............................#...$'..d.... ..X....................0..<....................................4..@............P...............................text....2.......4.................. ..`.rdata...s...P...t...8..............@..@.data....K.......*..................@....rsrc...X.... ......................@..@.reloc..B....0......................@..B................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\is-RNJ96.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):728576
                                                            Entropy (8bit):6.569671392209985
                                                            Encrypted:false
                                                            SSDEEP:12288:HgCO4mFq3kAVoYQVggbGAoTbmnuNfMxJWVtrKnffO9Py0n4wj:AcmFq37JQOTbZpaffOFy0n4G
                                                            MD5:A73EE126B2E6D43182D4C3482899D338
                                                            SHA1:998F61112F911B050F7E07021F58AAB4F64C5D36
                                                            SHA-256:06BBE605D7B0EF044871633B496948A8D65C78661E457D0844DC434A0609F763
                                                            SHA-512:2E3A83421154C4B3499FCC7E66F5FA7BF95FB157002CA7EC0DB2041AE9C9A3483C7787D9E07E48C28D28B216B577B5D0972ED03F54FBA34F6E908F74137837B9
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........z.............}........z.......z.......z...............!o...............i....z.......z.......z......Rich............PE..L......Q...........!.....:...................P...............................`............@..........................n..E....Y..x................................r......................................@............P..0............................text....9.......:.................. ..`.rdata..E0...P...2...>..............@..@.data...l............p..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\libEGL.dll (copy)

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):48128
                                                            Entropy (8bit):6.044429679961545
                                                            Encrypted:false
                                                            SSDEEP:768:Ydp3loIiS+gbIdX9h9btywVT+0sdfLKc/IQiInhtTaQotOnKOdHGd3:YH3llRbIdth9JjTvsFec/IYhtuztOnpW
                                                            MD5:EAE56B896A718C3BC87A4253832A5650
                                                            SHA1:4987D30E08490B3C5F356F47C33061E2F7E608C9
                                                            SHA-256:EE1D7D8F396D627FEE7DCF2655FB5ACFE5A1EE2A5DEEDA764EF311E75B94CEA1
                                                            SHA-512:044335B7899189C9685C9FE1C7985EE2A985A77B1C2B59FB81884BFE353DD80973C3918A107D67550C4FA686E1838D15206519015FA58A9EB054BAFA10720551
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........+.w.x.w.x.w.x@9Ox.w.x..Ix.w.x..}x.w.x..Kx.w.x..Dx.w.x.w.x.w.x..|x.w.x..Lx.w.x..Jx.w.xRich.w.x........................PE..L......Q...........!.........2......................................................o....@.....................................x...............................\...................................p...@...............,............................text...6........................... ..`.rdata..H ......."..................@..@.data...............................@....rsrc...............................@..@.reloc..<...........................@..B................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\libGLESv2.dll (copy)

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):728576
                                                            Entropy (8bit):6.569671392209985
                                                            Encrypted:false
                                                            SSDEEP:12288:HgCO4mFq3kAVoYQVggbGAoTbmnuNfMxJWVtrKnffO9Py0n4wj:AcmFq37JQOTbZpaffOFy0n4G
                                                            MD5:A73EE126B2E6D43182D4C3482899D338
                                                            SHA1:998F61112F911B050F7E07021F58AAB4F64C5D36
                                                            SHA-256:06BBE605D7B0EF044871633B496948A8D65C78661E457D0844DC434A0609F763
                                                            SHA-512:2E3A83421154C4B3499FCC7E66F5FA7BF95FB157002CA7EC0DB2041AE9C9A3483C7787D9E07E48C28D28B216B577B5D0972ED03F54FBA34F6E908F74137837B9
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........z.............}........z.......z.......z...............!o...............i....z.......z.......z......Rich............PE..L......Q...........!.....:...................P...............................`............@..........................n..E....Y..x................................r......................................@............P..0............................text....9.......:.................. ..`.rdata..E0...P...2...>..............@..@.data...l............p..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\msvcp100.dll (copy)

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):421200
                                                            Entropy (8bit):6.595802017835318
                                                            Encrypted:false
                                                            SSDEEP:12288:zNb8zxr1aWPaHX7dGP57rhUgiW6QR7t5qv3Ooc8UHkC2ejGH:zNb8Fpa6aHX7dGP5Kv3Ooc8UHkC2eKH
                                                            MD5:E3C817F7FE44CC870ECDBCBC3EA36132
                                                            SHA1:2ADA702A0C143A7AE39B7DE16A4B5CC994D2548B
                                                            SHA-256:D769FAFA2B3232DE9FA7153212BA287F68E745257F1C00FAFB511E7A02DE7ADF
                                                            SHA-512:4FCF3FCDD27C97A714E173AA221F53DF6C152636D77DEA49E256A9788F2D3F2C2D7315DD0B4D72ECEFC553082F9149B8580779ABB39891A88907F16EC9E13CBE
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........e..d...d...d.......d.......d...d..Cd..K*...d.......d.......d.......d.......d.......d.......d.......d..Rich.d..........................PE..L...A._M.........."!.................<.............x.................................{....@.................................<...<.... ...............V..P....0..D;..p................................/..@...............p............................text...u........................... ..`.data...$:.......,..................@....rsrc........ ......................@..@.reloc...S...0...T..................@..B........................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\msvcr100.dll (copy)

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):773968
                                                            Entropy (8bit):6.901569696995594
                                                            Encrypted:false
                                                            SSDEEP:12288:yMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BV0eAI:dmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV4I
                                                            MD5:BF38660A9125935658CFA3E53FDC7D65
                                                            SHA1:0B51FB415EC89848F339F8989D323BEA722BFD70
                                                            SHA-256:60C06E0FA4449314DA3A0A87C1A9D9577DF99226F943637E06F61188E5862EFA
                                                            SHA-512:25F521FFE25A950D0F1A4DE63B04CB62E2A3B0E72E7405799586913208BF8F8FA52AA34E96A9CC6EE47AFCD41870F3AA0CD8289C53461D1B6E792D19B750C9A1
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L..."._M.........."!.........................0.....x................................u.....@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exe

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmp
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:modified
                                                            Size (bytes):3036672
                                                            Entropy (8bit):6.676551488534372
                                                            Encrypted:false
                                                            SSDEEP:49152:Gewe1eae/lefseluTQep6eMiXMiyq9fMmkmBtla/9WdyplLnDesOJvA:yecSoii86fMmkmBra/9WdyplaJ
                                                            MD5:483573178F49D6667013866FB10AB1CB
                                                            SHA1:927E913247E5458925813BC6747AE9882BC03FD6
                                                            SHA-256:4E43B32BCA5224D444D61A366E6949A33DF1526C2AD209A1EC49221D9972A323
                                                            SHA-512:0404AC48831B71A1EB78EEE6BB7F4C39FF6543E0809A511198151152283A4D39574328345E6136A19E4DAE46D6B0AAB9175A6611769BD3E0E1F97E2453BEEA08
                                                            Malicious:true
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L....P.g..................#..........?#.......#...@........................................................................D.#......P$.0[............................................................................#.p............................text...*.#.......#.................`....rdata...?....#..@....#.............@..@.data....c....#..0....#.............@....rsrc....\...P$..\....#.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\sqlite3.dll (copy)

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmp
                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):645592
                                                            Entropy (8bit):6.50414583238337
                                                            Encrypted:false
                                                            SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                            MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                            SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                            SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                            SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..

                                                            C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\uninstall\is-5482O.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmp
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):722597
                                                            Entropy (8bit):6.522043548379102
                                                            Encrypted:false
                                                            SSDEEP:12288:jQ4Ch1/aLmSKrPD37zzH2A6QGgx/bsQYq9KgERkVfzrrNVyblI4cNaf/yxyRP:jQph1yLmSKrPD37zzH2A6QD/IpqggE2y
                                                            MD5:AAAC7D961509F2DC44974ED319205A72
                                                            SHA1:7DB7F5C81D13EF477D739E5E66E7406F20995566
                                                            SHA-256:DEF4FACD78AD9431A1357195EEFB78FB8C0201B9D6B34E0D10BD766D5E4B4FDD
                                                            SHA-512:F08E2847DB28C6B921B07A96F021BAFF287EA94C6FE148A7E6CA5F6032B068BDE1740B433D82BBA35B0DDEDBAEFCBFEF8DB1ACA14DB6590A595CEC3BA96EE216
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                            Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@.......................................@......@...............................&........................................................... ......................................................CODE....$........................... ..`DATA.... ...........................@...BSS......................................idata...&.......(..................@....tls.....................................rdata....... ......................@..P.reloc......0......................@..P.rsrc...............................@..P.....................f..............@..P........................................................................................................................................

                                                            C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\uninstall\unins000.dat

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmp
                                                            File Type:InnoSetup Log Smart File Defrag, version 0x30, 5054 bytes, 376483\user, "C:\Users\user\AppData\Local\Smart File Defrag 7.1.3"
                                                            Category:dropped
                                                            Size (bytes):5054
                                                            Entropy (8bit):4.771582245877612
                                                            Encrypted:false
                                                            SSDEEP:96:odWi488/pAU4W9s+eOIh9a7ICSss/Lnuw//uEYi6t:odWi480pA+HIhCICSsAnZ/u5
                                                            MD5:F580A25DE5B34F5099F32A8A8D6E9BD0
                                                            SHA1:1856D7E4A6196AE5F9710309589C1F141B528AFB
                                                            SHA-256:05DA6488D5A26CB542E23D73264E76E8CE6455588541C8EE977D91FBB1D49DFA
                                                            SHA-512:88627F1548B266AF0B4BCF109CA5B898161B8790F7D60E73741919BE420F43709941340BE6DE1D7247C5A7DBD54E59FA444E1166A4EA70C2C33FAA5B751EE8D0
                                                            Malicious:false
                                                            Preview:Inno Setup Uninstall Log (b)....................................Smart File Defrag...............................................................................................................Smart File Defrag...............................................................................................................0...........%...........................................................................................................................L.`g......Z....376483.user7C:\Users\user\AppData\Local\Smart File Defrag 7.1.3...........$...... ............IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...

                                                            C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\uninstall\unins000.exe (copy)

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmp
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):722597
                                                            Entropy (8bit):6.522043548379102
                                                            Encrypted:false
                                                            SSDEEP:12288:jQ4Ch1/aLmSKrPD37zzH2A6QGgx/bsQYq9KgERkVfzrrNVyblI4cNaf/yxyRP:jQph1yLmSKrPD37zzH2A6QD/IpqggE2y
                                                            MD5:AAAC7D961509F2DC44974ED319205A72
                                                            SHA1:7DB7F5C81D13EF477D739E5E66E7406F20995566
                                                            SHA-256:DEF4FACD78AD9431A1357195EEFB78FB8C0201B9D6B34E0D10BD766D5E4B4FDD
                                                            SHA-512:F08E2847DB28C6B921B07A96F021BAFF287EA94C6FE148A7E6CA5F6032B068BDE1740B433D82BBA35B0DDEDBAEFCBFEF8DB1ACA14DB6590A595CEC3BA96EE216
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                            Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@.......................................@......@...............................&........................................................... ......................................................CODE....$........................... ..`DATA.... ...........................@...BSS......................................idata...&.......(..................@....tls.....................................rdata....... ......................@..P.reloc......0......................@..P.rsrc...............................@..P.....................f..............@..P........................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmp

                                                            Download File
                                                            Process:C:\Users\user\Desktop\tKBxw8eOIV.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):711168
                                                            Entropy (8bit):6.513789679017668
                                                            Encrypted:false
                                                            SSDEEP:12288:bQ4Ch1/aLmSKrPD37zzH2A6QGgx/bsQYq9KgERkVfzrrNVyblI4cNaf/yxyR:bQph1yLmSKrPD37zzH2A6QD/IpqggE2M
                                                            MD5:A68E919AA98AF0107E6C6C200955EF9C
                                                            SHA1:C48FC16FAB8AB5F59C2619FAD6C14C676FAEE68B
                                                            SHA-256:8577C42C652797CE0B766CAC8E82F0C35B78C24DA42A56A0AE5E0FAB3353E3F5
                                                            SHA-512:183BC84D30D16A27EF509EB8FA75EE5687623825825EAD596F3DFA6B84E4EB96D1495D54707EF8894E536D0E75717D0BAADE380B3A9F9A957606D62347DE6D99
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 3%
                                                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@.......................................@......@...............................&........................................................... ......................................................CODE....$........................... ..`DATA.... ...........................@...BSS......................................idata...&.......(..................@....tls.....................................rdata....... ......................@..P.reloc......0......................@..P.rsrc...............................@..P.....................f..............@..P........................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\is-9OECC.tmp\_isetup\_iscrypt.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):2560
                                                            Entropy (8bit):2.8818118453929262
                                                            Encrypted:false
                                                            SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                            MD5:A69559718AB506675E907FE49DEB71E9
                                                            SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                            SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                            SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\is-9OECC.tmp\_isetup\_setup64.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmp
                                                            File Type:PE32+ executable (console) x86-64, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):6144
                                                            Entropy (8bit):4.720366600008286
                                                            Encrypted:false
                                                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\is-9OECC.tmp\_isetup\_shfoldr.dll

                                                            Download File
                                                            Process:C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmp
                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                            Category:dropped
                                                            Size (bytes):23312
                                                            Entropy (8bit):4.596242908851566
                                                            Encrypted:false
                                                            SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                            MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                            SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                            SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                            SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                            Malicious:false
                                                            Antivirus:
                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Entropy (8bit):7.997995779792712
                                                            TrID:
                                                            • Win32 Executable (generic) a (10002005/4) 98.86%
                                                            • Inno Setup installer (109748/4) 1.08%
                                                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                            • DOS Executable Generic (2002/1) 0.02%
                                                            File name:tKBxw8eOIV.exe
                                                            File size:3'722'172 bytes
                                                            MD5:51f4cfbe1c4f38beb7d4185086720317
                                                            SHA1:759e7e67ecc0b034d706125d6e2602c6051d2f63
                                                            SHA256:9e485a81d02dcd866ff2b63734bd9e5331319d6c6bd8c2aac53ef9e366556fcb
                                                            SHA512:ba0cfed8eef029049af9aabc9dbc07e4e853b42fcbf6060dc912e8fdc7378659669807507d2bf4d3074eb240c9f7f882da3466e2db241356df1ab7ab526a06d4
                                                            SSDEEP:98304:32j3Ueigw7UxZ+97pnu0okteY/EZaqjI6SRmBYZeIl7JS:Gjfig5iu0ok9/EZaL6SYYLl7JS
                                                            TLSH:810633A79EE984FBE066CEBCBF0AC1245533BF9240725006BBF966994B33DC01119797
                                                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                            File Icon

                                                            Icon Hash:2d2e3797b32b2b99

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x40a5f8
                                                            Entrypoint Section:CODE
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:1
                                                            OS Version Minor:0
                                                            File Version Major:1
                                                            File Version Minor:0
                                                            Subsystem Version Major:1
                                                            Subsystem Version Minor:0
                                                            Import Hash:884310b1928934402ea6fec1dbd3cf5e

                                                            Entrypoint Preview

                                                            Instruction
                                                            push ebp
                                                            mov ebp, esp
                                                            add esp, FFFFFFC4h
                                                            push ebx
                                                            push esi
                                                            push edi
                                                            xor eax, eax
                                                            mov dword ptr [ebp-10h], eax
                                                            mov dword ptr [ebp-24h], eax
                                                            call 00007F114480F143h
                                                            call 00007F114481034Ah
                                                            call 00007F11448105D9h
                                                            call 00007F114481067Ch
                                                            call 00007F114481261Bh
                                                            call 00007F1144814F86h
                                                            call 00007F11448150EDh
                                                            xor eax, eax
                                                            push ebp
                                                            push 0040ACC9h
                                                            push dword ptr fs:[eax]
                                                            mov dword ptr fs:[eax], esp
                                                            xor edx, edx
                                                            push ebp
                                                            push 0040AC92h
                                                            push dword ptr fs:[edx]
                                                            mov dword ptr fs:[edx], esp
                                                            mov eax, dword ptr [0040C014h]
                                                            call 00007F1144815B9Bh
                                                            call 00007F1144815786h
                                                            cmp byte ptr [0040B234h], 00000000h
                                                            je 00007F114481667Eh
                                                            call 00007F1144815C98h
                                                            xor eax, eax
                                                            call 00007F114480FE39h
                                                            lea edx, dword ptr [ebp-10h]
                                                            xor eax, eax
                                                            call 00007F1144812C2Bh
                                                            mov edx, dword ptr [ebp-10h]
                                                            mov eax, 0040CE2Ch
                                                            call 00007F114480F1DAh
                                                            push 00000002h
                                                            push 00000000h
                                                            push 00000001h
                                                            mov ecx, dword ptr [0040CE2Ch]
                                                            mov dl, 01h
                                                            mov eax, 0040738Ch
                                                            call 00007F11448134BAh
                                                            mov dword ptr [0040CE30h], eax
                                                            xor edx, edx
                                                            push ebp
                                                            push 0040AC4Ah
                                                            push dword ptr fs:[edx]
                                                            mov dword ptr fs:[edx], esp
                                                            call 00007F1144815BF6h
                                                            mov dword ptr [0040CE38h], eax
                                                            mov eax, dword ptr [0040CE38h]
                                                            cmp dword ptr [eax+0Ch], 00000000h

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xd0000x950.idata
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x2c00.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0xf0000x18.rdata
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            CODE0x10000x9d300x9e00611a4d7a24dd9b18a256468a5d7453f5False0.6052956882911392data6.631747641055028IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            DATA0xb0000x2500x4002f7f9f859c8b4b133abf78cebd99cc90False0.306640625data2.7547169534996403IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            BSS0xc0000xe900x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .idata0xd0000x9500xa00bb5485bf968b970e5ea81292af2acdbaFalse0.414453125data4.430733069799036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .tls0xe0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rdata0xf0000x180x2009ba824905bf9c7922b6fc87a38b74366False0.052734375data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                            .reloc0x100000x8c40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                            .rsrc0x110000x2c000x2c0037e923072c61cee26ec74415e8f2ab5fFalse0.33149857954545453data4.5727961719482355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_ICON0x113540x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                                            RT_ICON0x1147c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                                            RT_ICON0x119e40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                                            RT_ICON0x11ccc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                                            RT_STRING0x125740x2f2data0.35543766578249336
                                                            RT_STRING0x128680x30cdata0.3871794871794872
                                                            RT_STRING0x12b740x2cedata0.42618384401114207
                                                            RT_STRING0x12e440x68data0.75
                                                            RT_STRING0x12eac0xb4data0.6277777777777778
                                                            RT_STRING0x12f600xaedata0.5344827586206896
                                                            RT_RCDATA0x130100x2cdata1.2045454545454546
                                                            RT_GROUP_ICON0x1303c0x3edataEnglishUnited States0.8387096774193549
                                                            RT_VERSION0x1307c0x4f4dataEnglishUnited States0.25946372239747634
                                                            RT_MANIFEST0x135700x62cXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4240506329113924

                                                            Imports

                                                            DLLImport
                                                            kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                                                            user32.dllMessageBoxA
                                                            oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
                                                            advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
                                                            kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
                                                            user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
                                                            comctl32.dllInitCommonControls
                                                            advapi32.dllAdjustTokenPrivileges

                                                            Version Infos

                                                            DescriptionData
                                                            CommentsThis installation was built with Inno Setup.
                                                            CompanyName
                                                            FileDescriptionSmart File Defrag Setup
                                                            FileVersion
                                                            LegalCopyright
                                                            ProductNameSmart File Defrag
                                                            ProductVersion
                                                            Translation0x0000 0x04b0

                                                            Possible Origin

                                                            Language of compilation systemCountry where language is spokenMap
                                                            DutchNetherlands
                                                            EnglishUnited States

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2025-03-04T10:38:29.348390+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.649985176.113.115.96443TCP
                                                            2025-03-04T10:38:29.812993+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649985176.113.115.96443TCP

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Mar 4, 2025 10:38:28.459321022 CET49985443192.168.2.6176.113.115.96
                                                            Mar 4, 2025 10:38:28.459378004 CET44349985176.113.115.96192.168.2.6
                                                            Mar 4, 2025 10:38:28.463334084 CET49985443192.168.2.6176.113.115.96
                                                            Mar 4, 2025 10:38:28.548804045 CET49985443192.168.2.6176.113.115.96
                                                            Mar 4, 2025 10:38:28.548846960 CET44349985176.113.115.96192.168.2.6
                                                            Mar 4, 2025 10:38:29.348298073 CET44349985176.113.115.96192.168.2.6
                                                            Mar 4, 2025 10:38:29.348390102 CET49985443192.168.2.6176.113.115.96
                                                            Mar 4, 2025 10:38:29.468372107 CET49985443192.168.2.6176.113.115.96
                                                            Mar 4, 2025 10:38:29.468406916 CET44349985176.113.115.96192.168.2.6
                                                            Mar 4, 2025 10:38:29.468806982 CET44349985176.113.115.96192.168.2.6
                                                            Mar 4, 2025 10:38:29.468875885 CET49985443192.168.2.6176.113.115.96
                                                            Mar 4, 2025 10:38:29.511940956 CET49985443192.168.2.6176.113.115.96
                                                            Mar 4, 2025 10:38:29.559335947 CET44349985176.113.115.96192.168.2.6
                                                            Mar 4, 2025 10:38:29.813024998 CET44349985176.113.115.96192.168.2.6
                                                            Mar 4, 2025 10:38:29.813163996 CET44349985176.113.115.96192.168.2.6
                                                            Mar 4, 2025 10:38:29.813287973 CET49985443192.168.2.6176.113.115.96
                                                            Mar 4, 2025 10:38:29.835624933 CET49985443192.168.2.6176.113.115.96
                                                            Mar 4, 2025 10:38:29.835664034 CET44349985176.113.115.96192.168.2.6

                                                            HTTP Request Dependency Graph

                                                            • 176.113.115.96

                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.649985176.113.115.964436212C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exe
                                                            TimestampBytes transferredDirectionData
                                                            2025-03-04 09:38:29 UTC295OUTGET /ai/?key=8f3f2b3ae14615677411efa3231678fbb38f926d19fe6595cd66946851e91fcd85241ab258d81329326be8e343a8f51f8a95b5ca212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d4348dd4da955d4ccd HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                            Host: 176.113.115.96
                                                            2025-03-04 09:38:29 UTC200INHTTP/1.1 200 OK
                                                            Server: nginx/1.18.0 (Ubuntu)
                                                            Date: Tue, 04 Mar 2025 09:38:29 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            X-Powered-By: PHP/7.4.33
                                                            2025-03-04 09:38:29 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                            Data Ascii: e8b723663ec13250


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:04:36:21
                                                            Start date:04/03/2025
                                                            Path:C:\Users\user\Desktop\tKBxw8eOIV.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\tKBxw8eOIV.exe"
                                                            Imagebase:0x400000
                                                            File size:3'722'172 bytes
                                                            MD5 hash:51F4CFBE1C4F38BEB7D4185086720317
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:false

                                                            General

                                                            Target ID:2
                                                            Start time:04:36:22
                                                            Start date:04/03/2025
                                                            Path:C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmp
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Local\Temp\is-8QKK3.tmp\tKBxw8eOIV.tmp" /SL5="$20438,3471488,56832,C:\Users\user\Desktop\tKBxw8eOIV.exe"
                                                            Imagebase:0x400000
                                                            File size:711'168 bytes
                                                            MD5 hash:A68E919AA98AF0107E6C6C200955EF9C
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Antivirus matches:
                                                            • Detection: 3%, ReversingLabs
                                                            Reputation:low
                                                            Has exited:false

                                                            General

                                                            Target ID:3
                                                            Start time:04:36:24
                                                            Start date:04/03/2025
                                                            Path:C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Local\Smart File Defrag 7.1.3\smartfiledefrag13.exe" -i
                                                            Imagebase:0x400000
                                                            File size:3'036'672 bytes
                                                            MD5 hash:483573178F49D6667013866FB10AB1CB
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000003.00000002.4020546247.00000000023A1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000003.00000002.4020890820.000000000268B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:false

                                                            Disassembly

                                                            Reset < >