Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cTgYsJEANZ.exe

Overview

General Information

Sample name:cTgYsJEANZ.exe
renamed because original name is a hash value
Original sample name:cac77e1df9d179c4febe6e2a557bb32b.exe
Analysis ID:1632286
MD5:cac77e1df9d179c4febe6e2a557bb32b
SHA1:d7df5da6790068408ddc055c94a4364525603103
SHA256:02596ab86597670e98b7d1fa7cf26fd3a01a012f1e73eae0dbbdf55db80b6149
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Query firmware table information (likely to detect VMs)
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cTgYsJEANZ.exe (PID: 7684 cmdline: "C:\Users\user\Desktop\cTgYsJEANZ.exe" MD5: CAC77E1DF9D179C4FEBE6E2A557BB32B)
    • SplashWin.exe (PID: 7856 cmdline: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exe MD5: 4D20B83562EEC3660E45027AD56FB444)
      • SplashWin.exe (PID: 7928 cmdline: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exe MD5: 4D20B83562EEC3660E45027AD56FB444)
        • cmd.exe (PID: 7944 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • explorer.exe (PID: 2592 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
      • conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • SplashWin.exe (PID: 2692 cmdline: "C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exe" MD5: 4D20B83562EEC3660E45027AD56FB444)
    • cmd.exe (PID: 652 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • explorer.exe (PID: 1904 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Proxy Execution Via Explorer.exe
Source: Process startedAuthor: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative: Data: Command: C:\Windows\SysWOW64\explorer.exe, CommandLine: C:\Windows\SysWOW64\explorer.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\explorer.exe, NewProcessName: C:\Windows\SysWOW64\explorer.exe, OriginalFileName: C:\Windows\SysWOW64\explorer.exe, ParentCommandLine: C:\Windows\SysWOW64\cmd.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7944, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\SysWOW64\explorer.exe, ProcessId: 2592, ProcessName: explorer.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\fmoeAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\sidwwucavyAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\fmoeReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Temp\sidwwucavyReversingLabs: Detection: 34%
Multi AV Scanner detection for submitted file
Source: cTgYsJEANZ.exeVirustotal: Detection: 33%Perma Link
Source: cTgYsJEANZ.exeReversingLabs: Detection: 23%
Joe Sandbox ML detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: Binary string: E:\workdir\vc\rbin\RCClient\SplashWin.pdb,, source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.00000000075E6000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1285023656.0000000000DA3000.00000002.00000001.01000000.00000007.sdmp, SplashWin.exe, 00000003.00000000.1276820663.0000000000DA3000.00000002.00000001.01000000.00000007.sdmp, SplashWin.exe, 00000005.00000000.1284350705.0000000000173000.00000002.00000001.01000000.0000000C.sdmp, SplashWin.exe, 00000005.00000002.1342375327.0000000000173000.00000002.00000001.01000000.0000000C.sdmp, SplashWin.exe, 0000000C.00000000.1509511213.0000000000173000.00000002.00000001.01000000.0000000C.sdmp, SplashWin.exe, 0000000C.00000002.1568966757.0000000000173000.00000002.00000001.01000000.0000000C.sdmp, SplashWin.exe.3.dr, SplashWin.exe.0.dr
Source: Binary string: E:\workdir\ProgramDatabase\DuiLib_u.pdbww3 source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.00000000075E6000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290755518.000000006D815000.00000002.00000001.01000000.00000008.sdmp, SplashWin.exe, 00000005.00000002.1349856107.000000006D3C5000.00000002.00000001.01000000.0000000D.sdmp, SplashWin.exe, 0000000C.00000002.1573758515.000000006D735000.00000002.00000001.01000000.0000000D.sdmp, DuiLib_u.dll.3.dr, DuiLib_u.dll.0.dr
Source: Binary string: ntdll.pdb source: cTgYsJEANZ.exe, 00000000.00000002.1345779864.0000000006910000.00000004.00000800.00020000.00000000.sdmp, cTgYsJEANZ.exe, 00000000.00000002.1332304326.000000000348D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: SplashWin.exe, 00000003.00000002.1290272799.000000000A1A6000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290433336.000000000A500000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1347575843.0000000009B60000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1348095012.0000000009F1B000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1347368947.000000000980C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1565250853.0000000004F02000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1566933841.0000000005440000.00000004.00001000.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572878956.0000000009CD0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1573098316.000000000A08C000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572746578.0000000009978000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778392677.0000000004C91000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778947237.00000000051C0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: cTgYsJEANZ.exe, 00000000.00000002.1345779864.0000000006910000.00000004.00000800.00020000.00000000.sdmp, cTgYsJEANZ.exe, 00000000.00000002.1332304326.000000000348D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: SplashWin.exe, 00000003.00000002.1290272799.000000000A1A6000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290433336.000000000A500000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1347575843.0000000009B60000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1348095012.0000000009F1B000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1347368947.000000000980C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1565250853.0000000004F02000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1566933841.0000000005440000.00000004.00001000.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572878956.0000000009CD0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1573098316.000000000A08C000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572746578.0000000009978000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778392677.0000000004C91000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778947237.00000000051C0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: E:\workdir\ProgramDatabase\DuiLib_u.pdb source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.00000000075E6000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290755518.000000006D815000.00000002.00000001.01000000.00000008.sdmp, SplashWin.exe, 00000005.00000002.1349856107.000000006D3C5000.00000002.00000001.01000000.0000000D.sdmp, SplashWin.exe, 0000000C.00000002.1573758515.000000006D735000.00000002.00000001.01000000.0000000D.sdmp, DuiLib_u.dll.3.dr, DuiLib_u.dll.0.dr
Source: Binary string: E:\workdir\vc\rbin\RCClient\SplashWin.pdb source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.00000000075E6000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1285023656.0000000000DA3000.00000002.00000001.01000000.00000007.sdmp, SplashWin.exe, 00000003.00000000.1276820663.0000000000DA3000.00000002.00000001.01000000.00000007.sdmp, SplashWin.exe, 00000005.00000000.1284350705.0000000000173000.00000002.00000001.01000000.0000000C.sdmp, SplashWin.exe, 00000005.00000002.1342375327.0000000000173000.00000002.00000001.01000000.0000000C.sdmp, SplashWin.exe, 0000000C.00000000.1509511213.0000000000173000.00000002.00000001.01000000.0000000C.sdmp, SplashWin.exe, 0000000C.00000002.1568966757.0000000000173000.00000002.00000001.01000000.0000000C.sdmp, SplashWin.exe.3.dr, SplashWin.exe.0.dr
Source: Binary string: D:\agent\_work\20\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.00000000075E6000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000003.1283552135.0000000001562000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1291003156.000000006ED91000.00000020.00000001.01000000.00000009.sdmp, SplashWin.exe, 00000005.00000002.1349465168.000000006D331000.00000020.00000001.01000000.0000000E.sdmp, SplashWin.exe, 0000000C.00000002.1573873839.000000006D7A1000.00000020.00000001.01000000.0000000E.sdmp, vcruntime140.dll.3.dr, vcruntime140.dll.0.dr
Source: Binary string: D:\agent\_work\20\s\\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: SplashWin.exe, SplashWin.exe, 00000005.00000002.1349230520.000000006D2B1000.00000020.00000001.01000000.0000000F.sdmp, SplashWin.exe, 0000000C.00000002.1573586465.000000006D641000.00000020.00000001.01000000.0000000F.sdmp, msvcp140.dll.3.dr, msvcp140.dll.0.dr
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeCode function: 5_2_6D2C20D0 _Open_dir,FindFirstFileExW,__Read_dir,FindClose,5_2_6D2C20D0

Networking

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 185.183.32.103 3333Jump to behavior
Source: global trafficTCP traffic: 192.168.2.4:49720 -> 185.183.32.103:3333
Source: Joe Sandbox ViewASN Name: WORLDSTREAMNL WORLDSTREAMNL
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.32.103
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.000000000798D000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290068660.0000000009F13000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1346880831.0000000009677000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1566727187.00000000052B7000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572581044.00000000097EC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778812653.000000000503D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.000000000798D000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290068660.0000000009F13000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1346880831.0000000009677000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1566727187.00000000052B7000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572581044.00000000097EC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778812653.000000000503D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.000000000798D000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290068660.0000000009F13000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1346880831.0000000009677000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1566727187.00000000052B7000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572581044.00000000097EC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778812653.000000000503D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: cTgYsJEANZ.exe, 00000000.00000002.1333898257.00000000064F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: cTgYsJEANZ.exe, 00000000.00000002.1333898257.00000000064F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0K
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.000000000798D000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290068660.0000000009F13000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1346880831.0000000009677000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1566727187.00000000052B7000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572581044.00000000097EC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778812653.000000000503D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: cTgYsJEANZ.exe, 00000000.00000002.1333898257.00000000064F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: cTgYsJEANZ.exe, 00000000.00000002.1333898257.00000000064F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: cTgYsJEANZ.exe, 00000000.00000002.1333898257.00000000064F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.00000000075E6000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000003.1282470227.0000000001561000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe.3.dr, DuiLib_u.dll.3.dr, DuiLib_u.dll.0.dr, SplashWin.exe.0.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.00000000075E6000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000003.1282470227.0000000001561000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe.3.dr, DuiLib_u.dll.3.dr, DuiLib_u.dll.0.dr, SplashWin.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.00000000075E6000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000003.1282470227.0000000001561000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe.3.dr, DuiLib_u.dll.3.dr, DuiLib_u.dll.0.dr, SplashWin.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.00000000075E6000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000003.1282470227.0000000001561000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe.3.dr, DuiLib_u.dll.3.dr, DuiLib_u.dll.0.dr, SplashWin.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.000000000798D000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290068660.0000000009F13000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1346880831.0000000009677000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1566727187.00000000052B7000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572581044.00000000097EC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778812653.000000000503D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: cTgYsJEANZ.exe, 00000000.00000002.1333898257.00000000064F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.000000000798D000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290068660.0000000009F13000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1346880831.0000000009677000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1566727187.00000000052B7000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572581044.00000000097EC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778812653.000000000503D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.000000000798D000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290068660.0000000009F13000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1346880831.0000000009677000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1566727187.00000000052B7000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572581044.00000000097EC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778812653.000000000503D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: cTgYsJEANZ.exe, 00000000.00000002.1333898257.00000000064F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: cTgYsJEANZ.exe, 00000000.00000002.1333898257.00000000064F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: cTgYsJEANZ.exe, 00000000.00000002.1333898257.00000000064F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: cTgYsJEANZ.exe, 00000000.00000002.1333898257.00000000064F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.000000000798D000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290068660.0000000009F13000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1346880831.0000000009677000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1566727187.00000000052B7000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572581044.00000000097EC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778812653.000000000503D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.000000000798D000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290068660.0000000009F13000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1346880831.0000000009677000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1566727187.00000000052B7000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572581044.00000000097EC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778812653.000000000503D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.000000000798D000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290068660.0000000009F13000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1346880831.0000000009677000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1566727187.00000000052B7000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572581044.00000000097EC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778812653.000000000503D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.000000000798D000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290068660.0000000009F13000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1346880831.0000000009677000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1566727187.00000000052B7000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572581044.00000000097EC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778812653.000000000503D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.000000000798D000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290068660.0000000009F13000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1346880831.0000000009677000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1566727187.00000000052B7000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572581044.00000000097EC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778812653.000000000503D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: cTgYsJEANZ.exe, 00000000.00000002.1333898257.00000000064F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.000000000798D000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290068660.0000000009F13000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1346880831.0000000009677000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1566727187.00000000052B7000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572581044.00000000097EC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778812653.000000000503D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.000000000798D000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290068660.0000000009F13000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1346880831.0000000009677000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1566727187.00000000052B7000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572581044.00000000097EC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778812653.000000000503D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.00000000075E6000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000003.1282470227.0000000001561000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe.3.dr, DuiLib_u.dll.3.dr, DuiLib_u.dll.0.dr, SplashWin.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.00000000075E6000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000003.1282470227.0000000001561000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe.3.dr, DuiLib_u.dll.3.dr, DuiLib_u.dll.0.dr, SplashWin.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.00000000075E6000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000003.1282470227.0000000001561000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe.3.dr, DuiLib_u.dll.3.dr, DuiLib_u.dll.0.dr, SplashWin.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.00000000075E6000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000003.1282470227.0000000001561000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe.3.dr, DuiLib_u.dll.3.dr, DuiLib_u.dll.0.dr, SplashWin.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
Source: cTgYsJEANZ.exe, 00000000.00000002.1333898257.00000000064F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.000000000798D000.00000004.00000020.00020000.00000000.sdmp, cTgYsJEANZ.exe, 00000000.00000002.1333898257.00000000064F8000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290068660.0000000009F13000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1346880831.0000000009677000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1566727187.00000000052B7000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572581044.00000000097EC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778812653.000000000503D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.000000000798D000.00000004.00000020.00020000.00000000.sdmp, cTgYsJEANZ.exe, 00000000.00000002.1333898257.00000000064F8000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290068660.0000000009F13000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1346880831.0000000009677000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1566727187.00000000052B7000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572581044.00000000097EC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778812653.000000000503D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
Source: cTgYsJEANZ.exe, 00000000.00000002.1333898257.00000000064F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.000000000798D000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290068660.0000000009F13000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1346880831.0000000009677000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1566727187.00000000052B7000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572581044.00000000097EC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778812653.000000000503D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0L
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.000000000798D000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290068660.0000000009F13000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1346880831.0000000009677000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1566727187.00000000052B7000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572581044.00000000097EC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778812653.000000000503D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
Source: cTgYsJEANZ.exe, 00000000.00000002.1333898257.00000000064F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.00000000075E6000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000003.1282470227.0000000001561000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe.3.dr, DuiLib_u.dll.3.dr, DuiLib_u.dll.0.dr, SplashWin.exe.0.drString found in binary or memory: http://ocsp.sectigo.com0
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.000000000798D000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290068660.0000000009F13000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1346880831.0000000009677000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1566727187.00000000052B7000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572581044.00000000097EC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778812653.000000000503D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.000000000798D000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290068660.0000000009F13000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1346880831.0000000009677000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1566727187.00000000052B7000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572581044.00000000097EC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778812653.000000000503D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://s2.symcb.com0
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.000000000798D000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290068660.0000000009F13000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1346880831.0000000009677000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1566727187.00000000052B7000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572581044.00000000097EC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778812653.000000000503D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.000000000798D000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290068660.0000000009F13000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1346880831.0000000009677000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1566727187.00000000052B7000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572581044.00000000097EC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778812653.000000000503D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.000000000798D000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290068660.0000000009F13000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1346880831.0000000009677000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1566727187.00000000052B7000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572581044.00000000097EC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778812653.000000000503D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sv.symcd.com0&
Source: cTgYsJEANZ.exe, 00000000.00000002.1333898257.00000000064F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.000000000798D000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290068660.0000000009F13000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1346880831.0000000009677000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1566727187.00000000052B7000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572581044.00000000097EC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778812653.000000000503D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.00000000075E6000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290068660.0000000009EBD000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1346880831.0000000009621000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1566727187.000000000526F000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572581044.0000000009796000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778812653.0000000004FF5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.info-zip.org/
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.000000000798D000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290068660.0000000009F13000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1346880831.0000000009677000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1566727187.00000000052B7000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572581044.00000000097EC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778812653.000000000503D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/cps0(
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.000000000798D000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290068660.0000000009F13000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1346880831.0000000009677000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1566727187.00000000052B7000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572581044.00000000097EC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778812653.000000000503D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.symauth.com/rpa00
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.000000000798D000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290068660.0000000009F13000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1346880831.0000000009677000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1566727187.00000000052B7000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572581044.00000000097EC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778812653.000000000503D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.000000000798D000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290068660.0000000009F13000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1346880831.0000000009677000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1566727187.00000000052B7000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572581044.00000000097EC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778812653.000000000503D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.vmware.com/0/
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.000000000798D000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290068660.0000000009F13000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1346880831.0000000009677000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1566727187.00000000052B7000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572581044.00000000097EC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778812653.000000000503D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.000000000798D000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290068660.0000000009F13000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1346880831.0000000009677000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1566727187.00000000052B7000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572581044.00000000097EC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778812653.000000000503D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.00000000075E6000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000003.1282470227.0000000001561000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe.3.dr, DuiLib_u.dll.3.dr, DuiLib_u.dll.0.dr, SplashWin.exe.0.drString found in binary or memory: https://sectigo.com/CPS0
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.000000000798D000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290068660.0000000009F13000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1346880831.0000000009677000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1566727187.00000000052B7000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572581044.00000000097EC000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778812653.000000000503D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_6D7D88DB GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,3_2_6D7D88DB
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeCode function: 0_2_0077A88F NtQuerySystemInformation,0_2_0077A88F
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeCode function: 0_2_0077E57A0_2_0077E57A
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_6D7ED5653_2_6D7ED565
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_6D7EBD343_2_6D7EBD34
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_6D7EEC713_2_6D7EEC71
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_6D8054D83_2_6D8054D8
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_6D7DFCA03_2_6D7DFCA0
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_6D8077AA3_2_6D8077AA
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_6D8047703_2_6D804770
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_6D805E773_2_6D805E77
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_6D7A20523_2_6D7A2052
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_6D7E78E53_2_6D7E78E5
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_6D7E68BD3_2_6D7E68BD
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_6D7EA3453_2_6D7EA345
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_6D7EE3153_2_6D7EE315
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_6D7D23BF3_2_6D7D23BF
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_6D7E82083_2_6D7E8208
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeCode function: 5_2_6D2B1E075_2_6D2B1E07
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeCode function: 5_2_6D2B4EE05_2_6D2B4EE0
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeCode function: 5_2_6D2B4EC45_2_6D2B4EC4
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeCode function: 5_2_6D2B4BCC5_2_6D2B4BCC
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeCode function: 5_2_6D2B658C5_2_6D2B658C
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeCode function: 5_2_6D2B65EC5_2_6D2B65EC
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeCode function: 5_2_6D2B642C5_2_6D2B642C
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeCode function: 5_2_6D2B64585_2_6D2B6458
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeCode function: 5_2_6D2B64945_2_6D2B6494
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeCode function: 5_2_6D2B14F25_2_6D2B14F2
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeCode function: 5_2_6D2B66185_2_6D2B6618
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeCode function: 5_2_6D2B66E45_2_6D2B66E4
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeCode function: 5_2_6D2B66D45_2_6D2B66D4
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeCode function: 5_2_6D2B4EC45_2_6D2B4EC4
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeCode function: 5_2_6D2B4BCC5_2_6D2B4BCC
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\KM_daemon\DuiLib_u.dll 5A3E6B212447ECEE8E9A215C35F56AA3A3F45340F116AD9015C87D0C9C6E21AF
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exe C5E650B331FA5292872FDAEDE3A75C8167A0F1280CE0CD3D58B880D23854BDB1
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\KM_daemon\msvcp140.dll 4CB882621A3D1C6283570447F842801B396DB1B3DCD2E01C2F7002EFD66A0A97
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeCode function: String function: 6D2EE6CF appears 38 times
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeCode function: String function: 6D2EE69B appears 123 times
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: String function: 6D7E9047 appears 43 times
Source: cTgYsJEANZ.exeStatic PE information: Number of sections : 11 > 10
Source: fmoe.6.drStatic PE information: No import functions for PE file found
Source: sidwwucavy.13.drStatic PE information: No import functions for PE file found
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.000000000798D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamezip.exe( vs cTgYsJEANZ.exe
Source: cTgYsJEANZ.exe, 00000000.00000002.1345779864.0000000006A96000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs cTgYsJEANZ.exe
Source: cTgYsJEANZ.exe, 00000000.00000002.1333898257.0000000005B10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs cTgYsJEANZ.exe
Source: cTgYsJEANZ.exe, 00000000.00000002.1332304326.0000000003605000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs cTgYsJEANZ.exe
Source: cTgYsJEANZ.exe, 00000000.00000000.1245277799.0000000000427000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs cTgYsJEANZ.exe
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.00000000075E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcp140.dllT vs cTgYsJEANZ.exe
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.00000000075E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAnyViewer4 vs cTgYsJEANZ.exe
Source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.00000000075E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs cTgYsJEANZ.exe
Source: cTgYsJEANZ.exe, 00000000.00000002.1333898257.00000000064F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameiScrEditer.exeJ vs cTgYsJEANZ.exe
Source: cTgYsJEANZ.exe, 00000000.00000002.1330720364.0000000002A46000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamecomctl32.DLL.MUIj% vs cTgYsJEANZ.exe
Source: cTgYsJEANZ.exeBinary or memory string: OriginalFileName vs cTgYsJEANZ.exe
Source: classification engineClassification label: mal100.evad.winEXE@17/20@0/1
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeCode function: 5_2_6D2C2440 _Statvfs,GetDiskFreeSpaceExW,5_2_6D2C2440
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_6D7D57A2 ??0CDragSourceHelper@DuiLib@@QAE@XZ,CoCreateInstance,3_2_6D7D57A2
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeFile created: C:\Users\user\AppData\Roaming\PersBackup6Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7956:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:500:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7684:120:WilError_03
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeFile created: C:\Users\user\AppData\Local\Temp\7756466eJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCommand line argument: AnyViewer3_2_00DA19D0
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeCommand line argument: AnyViewer5_2_001719D0
Source: cTgYsJEANZ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: cTgYsJEANZ.exeVirustotal: Detection: 33%
Source: cTgYsJEANZ.exeReversingLabs: Detection: 23%
Source: cTgYsJEANZ.exeString found in binary or memory: pbe-help.chm
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeFile read: C:\Users\user\Desktop\cTgYsJEANZ.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\cTgYsJEANZ.exe "C:\Users\user\Desktop\cTgYsJEANZ.exe"
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeProcess created: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exe C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exe
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeProcess created: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exe C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exe
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exe "C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exe"
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeProcess created: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exe C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeProcess created: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exe C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeSection loaded: portabledeviceapi.dllJump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeSection loaded: devobj.dllJump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeSection loaded: pla.dllJump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeSection loaded: pdh.dllJump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeSection loaded: tdh.dllJump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeSection loaded: wevtapi.dllJump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeSection loaded: shdocvw.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeSection loaded: duilib_u.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeSection loaded: pla.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeSection loaded: pdh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeSection loaded: tdh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeSection loaded: wevtapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeSection loaded: duilib_u.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeSection loaded: pla.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeSection loaded: pdh.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeSection loaded: tdh.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeSection loaded: wevtapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: shdocvw.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: d3d9.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeSection loaded: duilib_u.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeSection loaded: pla.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeSection loaded: pdh.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeSection loaded: tdh.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeSection loaded: wevtapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: shdocvw.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: d3d9.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: ljmvxrux.6.drLNK file: ..\..\Roaming\KM_daemon\SplashWin.exe
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: cTgYsJEANZ.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: cTgYsJEANZ.exeStatic file information: File size 10493128 > 1048576
Source: cTgYsJEANZ.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x484a00
Source: cTgYsJEANZ.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x486000
Source: Binary string: E:\workdir\vc\rbin\RCClient\SplashWin.pdb,, source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.00000000075E6000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1285023656.0000000000DA3000.00000002.00000001.01000000.00000007.sdmp, SplashWin.exe, 00000003.00000000.1276820663.0000000000DA3000.00000002.00000001.01000000.00000007.sdmp, SplashWin.exe, 00000005.00000000.1284350705.0000000000173000.00000002.00000001.01000000.0000000C.sdmp, SplashWin.exe, 00000005.00000002.1342375327.0000000000173000.00000002.00000001.01000000.0000000C.sdmp, SplashWin.exe, 0000000C.00000000.1509511213.0000000000173000.00000002.00000001.01000000.0000000C.sdmp, SplashWin.exe, 0000000C.00000002.1568966757.0000000000173000.00000002.00000001.01000000.0000000C.sdmp, SplashWin.exe.3.dr, SplashWin.exe.0.dr
Source: Binary string: E:\workdir\ProgramDatabase\DuiLib_u.pdbww3 source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.00000000075E6000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290755518.000000006D815000.00000002.00000001.01000000.00000008.sdmp, SplashWin.exe, 00000005.00000002.1349856107.000000006D3C5000.00000002.00000001.01000000.0000000D.sdmp, SplashWin.exe, 0000000C.00000002.1573758515.000000006D735000.00000002.00000001.01000000.0000000D.sdmp, DuiLib_u.dll.3.dr, DuiLib_u.dll.0.dr
Source: Binary string: ntdll.pdb source: cTgYsJEANZ.exe, 00000000.00000002.1345779864.0000000006910000.00000004.00000800.00020000.00000000.sdmp, cTgYsJEANZ.exe, 00000000.00000002.1332304326.000000000348D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: SplashWin.exe, 00000003.00000002.1290272799.000000000A1A6000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290433336.000000000A500000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1347575843.0000000009B60000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1348095012.0000000009F1B000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1347368947.000000000980C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1565250853.0000000004F02000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1566933841.0000000005440000.00000004.00001000.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572878956.0000000009CD0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1573098316.000000000A08C000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572746578.0000000009978000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778392677.0000000004C91000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778947237.00000000051C0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: cTgYsJEANZ.exe, 00000000.00000002.1345779864.0000000006910000.00000004.00000800.00020000.00000000.sdmp, cTgYsJEANZ.exe, 00000000.00000002.1332304326.000000000348D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: SplashWin.exe, 00000003.00000002.1290272799.000000000A1A6000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290433336.000000000A500000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1347575843.0000000009B60000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1348095012.0000000009F1B000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 00000005.00000002.1347368947.000000000980C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1565250853.0000000004F02000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.1566933841.0000000005440000.00000004.00001000.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572878956.0000000009CD0000.00000004.00000800.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1573098316.000000000A08C000.00000004.00000001.00020000.00000000.sdmp, SplashWin.exe, 0000000C.00000002.1572746578.0000000009978000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778392677.0000000004C91000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.1778947237.00000000051C0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: E:\workdir\ProgramDatabase\DuiLib_u.pdb source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.00000000075E6000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1290755518.000000006D815000.00000002.00000001.01000000.00000008.sdmp, SplashWin.exe, 00000005.00000002.1349856107.000000006D3C5000.00000002.00000001.01000000.0000000D.sdmp, SplashWin.exe, 0000000C.00000002.1573758515.000000006D735000.00000002.00000001.01000000.0000000D.sdmp, DuiLib_u.dll.3.dr, DuiLib_u.dll.0.dr
Source: Binary string: E:\workdir\vc\rbin\RCClient\SplashWin.pdb source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.00000000075E6000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1285023656.0000000000DA3000.00000002.00000001.01000000.00000007.sdmp, SplashWin.exe, 00000003.00000000.1276820663.0000000000DA3000.00000002.00000001.01000000.00000007.sdmp, SplashWin.exe, 00000005.00000000.1284350705.0000000000173000.00000002.00000001.01000000.0000000C.sdmp, SplashWin.exe, 00000005.00000002.1342375327.0000000000173000.00000002.00000001.01000000.0000000C.sdmp, SplashWin.exe, 0000000C.00000000.1509511213.0000000000173000.00000002.00000001.01000000.0000000C.sdmp, SplashWin.exe, 0000000C.00000002.1568966757.0000000000173000.00000002.00000001.01000000.0000000C.sdmp, SplashWin.exe.3.dr, SplashWin.exe.0.dr
Source: Binary string: D:\agent\_work\20\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: cTgYsJEANZ.exe, 00000000.00000002.1348379963.00000000075E6000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000003.1283552135.0000000001562000.00000004.00000020.00020000.00000000.sdmp, SplashWin.exe, 00000003.00000002.1291003156.000000006ED91000.00000020.00000001.01000000.00000009.sdmp, SplashWin.exe, 00000005.00000002.1349465168.000000006D331000.00000020.00000001.01000000.0000000E.sdmp, SplashWin.exe, 0000000C.00000002.1573873839.000000006D7A1000.00000020.00000001.01000000.0000000E.sdmp, vcruntime140.dll.3.dr, vcruntime140.dll.0.dr
Source: Binary string: D:\agent\_work\20\s\\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: SplashWin.exe, SplashWin.exe, 00000005.00000002.1349230520.000000006D2B1000.00000020.00000001.01000000.0000000F.sdmp, SplashWin.exe, 0000000C.00000002.1573586465.000000006D641000.00000020.00000001.01000000.0000000F.sdmp, msvcp140.dll.3.dr, msvcp140.dll.0.dr
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_6D7A315F ?DoCreateControl@CActiveXUI@DuiLib@@MAEHXZ,__EH_prolog3_catch,?IsEmpty@CDuiString@DuiLib@@QBEHXZ,??BCDuiString@DuiLib@@QBEPB_WXZ,LoadLibraryW,GetProcAddress,CoCreateInstance,?SendNotify@CPaintManagerUI@DuiLib@@QAEXPAVCControlUI@2@PB_WIJH@Z,?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ,3_2_6D7A315F
Source: DuiLib_u.dll.3.drStatic PE information: real checksum: 0xda891 should be: 0xda31a
Source: fmoe.6.drStatic PE information: real checksum: 0x0 should be: 0x117ba0
Source: sidwwucavy.13.drStatic PE information: real checksum: 0x0 should be: 0x117ba0
Source: DuiLib_u.dll.0.drStatic PE information: real checksum: 0xda891 should be: 0xda31a
Source: cTgYsJEANZ.exeStatic PE information: section name: .didata
Source: msvcp140.dll.0.drStatic PE information: section name: .didat
Source: msvcp140.dll.3.drStatic PE information: section name: .didat
Source: fmoe.6.drStatic PE information: section name: .xyz
Source: fmoe.6.drStatic PE information: section name: eyp
Source: sidwwucavy.13.drStatic PE information: section name: .xyz
Source: sidwwucavy.13.drStatic PE information: section name: eyp
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_00DA2A26 push ecx; ret 3_2_00DA2A39
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_6D7E9FDF push ecx; mov dword ptr [esp], 3F800000h3_2_6D7E9FFB
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_6D80C16F push ecx; ret 3_2_6D80C182
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_6D7A2052 push ecx; mov dword ptr [esp], 3F800000h3_2_6D7A2289
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeCode function: 5_2_00172A26 push ecx; ret 5_2_00172A39
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeCode function: 5_2_6D2EE675 push ecx; ret 5_2_6D2EE688
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeCode function: 5_2_6D2B1119 pushad ; retn 0000h5_2_6D2B12B0
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeFile created: C:\Users\user\AppData\Roaming\KM_daemon\vcruntime140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeFile created: C:\Users\user\AppData\Roaming\KM_daemon\DuiLib_u.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeFile created: C:\Users\user\AppData\Roaming\KM_daemon\msvcp140.dllJump to dropped file
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeFile created: C:\Users\user\AppData\Local\Temp\KM_daemon\vcruntime140.dllJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\fmoeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeFile created: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeJump to dropped file
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeFile created: C:\Users\user\AppData\Local\Temp\KM_daemon\DuiLib_u.dllJump to dropped file
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeFile created: C:\Users\user\AppData\Local\Temp\KM_daemon\msvcp140.dllJump to dropped file
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeFile created: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\sidwwucavyJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\fmoeJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\sidwwucavyJump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Found hidden mapped module (file has been removed from disk)
Source: C:\Windows\SysWOW64\cmd.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\FMOE
Source: C:\Windows\SysWOW64\cmd.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\SIDWWUCAVY
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_6D7BE04D ?OnSize@CMenuWnd@DuiLib@@UAEJIIJAAH@Z,?GetRoundCorner@CPaintManagerUI@DuiLib@@QBE?AUtagSIZE@@XZ,??BCWindowWnd@DuiLib@@QBEPAUHWND__@@XZ,IsIconic,??0CDuiRect@DuiLib@@QAE@XZ,??BCWindowWnd@DuiLib@@QBEPAUHWND__@@XZ,GetWindowRect,?Offset@CDuiRect@DuiLib@@QAEXHH@Z,CreateRoundRectRgn,??BCWindowWnd@DuiLib@@QBEPAUHWND__@@XZ,SetWindowRgn,DeleteObject,3_2_6D7BE04D
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Windows\SysWOW64\explorer.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeSystem information queried: FirmwareTableInformationJump to behavior
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeAPI/Special instruction interceptor: Address: 6D499364
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeAPI/Special instruction interceptor: Address: 6D499364
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeAPI/Special instruction interceptor: Address: 6D499065
Source: C:\Windows\SysWOW64\cmd.exeAPI/Special instruction interceptor: Address: 6D493B54
Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: B5A317
Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: 941145
Source: C:\Windows\SysWOW64\explorer.exeAPI/Special instruction interceptor: Address: 34B1145
Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: foregroundWindowGot 667Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: foregroundWindowGot 660Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: foregroundWindowGot 494Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: foregroundWindowGot 502Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\fmoeJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sidwwucavyJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeAPI coverage: 0.4 %
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeCode function: 5_2_6D2C20D0 _Open_dir,FindFirstFileExW,__Read_dir,FindClose,5_2_6D2C20D0
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeCode function: 0_2_00415F30 GetSystemInfo,0_2_00415F30
Source: cmd.exe, 0000000D.00000002.1778812653.000000000503D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noreply@vmware.com0
Source: cmd.exe, 0000000D.00000002.1778812653.000000000503D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0
Source: cmd.exe, 0000000D.00000002.1778812653.000000000503D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1!0
Source: cmd.exe, 0000000D.00000002.1778812653.000000000503D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0/
Source: cmd.exe, 0000000D.00000002.1778812653.000000000503D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1
Source: cmd.exe, 0000000D.00000002.1778812653.000000000503D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.0
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_00DA1BA5 IsDebuggerPresent,OutputDebugStringW,3_2_00DA1BA5
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_6D7A315F ?DoCreateControl@CActiveXUI@DuiLib@@MAEHXZ,__EH_prolog3_catch,?IsEmpty@CDuiString@DuiLib@@QBEHXZ,??BCDuiString@DuiLib@@QBEPB_WXZ,LoadLibraryW,GetProcAddress,CoCreateInstance,?SendNotify@CPaintManagerUI@DuiLib@@QAEXPAVCControlUI@2@PB_WIJH@Z,?GetPaintWindow@CPaintManagerUI@DuiLib@@QBEPAUHWND__@@XZ,3_2_6D7A315F
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_00DA14C0 GetProcessHeap,__Init_thread_footer,__Init_thread_footer,3_2_00DA14C0
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_00DA27E0 SetUnhandledExceptionFilter,3_2_00DA27E0
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_00DA264A IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00DA264A
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_00DA2529 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00DA2529
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_6D80CFD7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_6D80CFD7
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeCode function: 5_2_00172529 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00172529
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeCode function: 5_2_0017264A IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_0017264A
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeCode function: 5_2_001727E0 SetUnhandledExceptionFilter,5_2_001727E0
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeCode function: 5_2_6D2EEEB8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_6D2EEEB8
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeCode function: 5_2_6D2EF27B IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_6D2EF27B

HIPS / PFW / Operating System Protection Evasion

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 185.183.32.103 3333Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeNtQuerySystemInformation: Direct from: 0x6D357625Jump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeNtClose: Direct from: 0x7FFC9DA4982C
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeNtAllocateVirtualMemory: Direct from: 0x7FFC9DA48E14Jump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeNtQuerySystemInformation: Direct from: 0x7FFC9DA36118Jump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeNtCreateFile: Direct from: 0x7FFC9DA497E6Jump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeNtProtectVirtualMemory: Direct from: 0x7FFC9DA4973AJump to behavior
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeNtProtectVirtualMemory: Direct from: 0x755C8769Jump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeNtProtectVirtualMemory: Direct from: 0x7FFC9DA494F5Jump to behavior
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeNtQuerySystemInformation: Direct from: 0x6D6C7625Jump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeNtAllocateVirtualMemory: Direct from: 0xA0A76ACBJump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeNtClose: Direct from: 0x1C
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeNtQuerySystemInformation: Direct from: 0x6D7A7625Jump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeNtQuerySystemInformation: Direct from: 0x6C006CJump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeNtWriteFile: Direct from: 0x7FFC9DA49822Jump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeNtAllocateVirtualMemory: Direct from: 0x7FFC9DA49635Jump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeNtAllocateVirtualMemory: Direct from: 0x7FFC9DA360D4Jump to behavior
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeNtProtectVirtualMemory: Direct from: 0x75640353Jump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeNtClose: Direct from: 0x29E0300
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 2592 base: B579C0 value: 55Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeMemory written: PID: 1904 base: B579C0 value: 55Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read writeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: read writeJump to behavior
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeSection loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read writeJump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: B579C0Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: B579C0Jump to behavior
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeProcess created: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exe C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_00DA2835 cpuid 3_2_00DA2835
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeCode function: _Getdateorder,___lc_locale_name_func,__crtGetLocaleInfoEx,5_2_6D2D7770
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeCode function: __crtGetLocaleInfoEx,GetLocaleInfoEx,?isfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAEXXZ,GetLocaleInfoEx,GetLocaleInfoW,5_2_6D2BC160
Source: C:\Users\user\Desktop\cTgYsJEANZ.exeQueries volume information: C:\Users\user\AppData\Local\Temp\7756466e VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_00DA2B75 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,3_2_00DA2B75
Source: C:\Windows\SysWOW64\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_00DA13A0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,3_2_00DA13A0
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_6D7A55EB ?BindTabLayoutName@CButtonUI@DuiLib@@UAEXPB_W@Z,3_2_6D7A55EB
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_6D7A55D7 ?BindTabIndex@CButtonUI@DuiLib@@UAEXH@Z,3_2_6D7A55D7
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_6D7A5604 ?BindTriggerTabSel@CButtonUI@DuiLib@@UAEXH@Z,?FindControl@CPaintManagerUI@DuiLib@@QBEPAVCControlUI@2@PB_W@Z,3_2_6D7A5604
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_6D7A58AE ?GetBindTabLayoutName@CButtonUI@DuiLib@@UAEPB_WXZ,3_2_6D7A58AE
Source: C:\Users\user\AppData\Local\Temp\KM_daemon\SplashWin.exeCode function: 3_2_6D7A58A7 ?GetBindTabLayoutIndex@CButtonUI@DuiLib@@UAEHXZ,3_2_6D7A58A7
Source: C:\Users\user\AppData\Roaming\KM_daemon\SplashWin.exeCode function: 5_2_001713A0 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,5_2_001713A0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		11
DLL Side-Loading		411
Process Injection		11
Masquerading		1
Input Capture		1
System Time Discovery		Remote Services1
Input Capture		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts3
Command and Scripting Interpreter		Boot or Logon Initialization Scripts1
Abuse Elevation Control Mechanism		1
Virtualization/Sandbox Evasion		LSASS Memory331
Security Software Discovery		Remote Desktop Protocol1
Archive Collected Data		1
Non-Standard Port		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API		Logon Script (Windows)11
DLL Side-Loading		411
Process Injection		Security Account Manager1
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Deobfuscate/Decode Files or Information		NTDS1
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Abuse Elevation Control Mechanism		LSA Secrets11
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
Obfuscated Files or Information		Cached Domain Credentials2
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
DLL Side-Loading		DCSync135
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1632286 Sample: cTgYsJEANZ.exe Startdate: 07/03/2025 Architecture: WINDOWS Score: 100 70 Antivirus detection for dropped file 2->70 72 Multi AV Scanner detection for dropped file 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 Joe Sandbox ML detected suspicious sample 2->76 9 cTgYsJEANZ.exe 12 2->9         started        13 SplashWin.exe 1 2->13         started        process3 file4 40 C:\Users\user\AppData\...\vcruntime140.dll, PE32 9->40 dropped 42 C:\Users\user\AppData\Local\...\msvcp140.dll, PE32 9->42 dropped 44 C:\Users\user\AppData\Local\...\SplashWin.exe, PE32 9->44 dropped 46 C:\Users\user\AppData\Local\...\DuiLib_u.dll, PE32 9->46 dropped 92 Found direct / indirect Syscall (likely to bypass EDR) 9->92 15 SplashWin.exe 7 9->15         started        94 Maps a DLL or memory area into another process 13->94 19 cmd.exe 2 13->19         started        signatures5 process6 file7 50 C:\Users\user\AppData\...\vcruntime140.dll, PE32 15->50 dropped 52 C:\Users\user\AppData\...\msvcp140.dll, PE32 15->52 dropped 54 C:\Users\user\AppData\...\SplashWin.exe, PE32 15->54 dropped 56 C:\Users\user\AppData\...\DuiLib_u.dll, PE32 15->56 dropped 62 Switches to a custom stack to bypass stack traces 15->62 64 Found direct / indirect Syscall (likely to bypass EDR) 15->64 21 SplashWin.exe 1 15->21         started        24 conhost.exe 15->24         started        58 C:\Users\user\AppData\Local\Temp\sidwwucavy, PE32 19->58 dropped 66 Injects code into the Windows Explorer (explorer.exe) 19->66 68 Writes to foreign memory regions 19->68 26 explorer.exe 1 19->26         started        28 conhost.exe 19->28         started        signatures8 process9 signatures10 82 Maps a DLL or memory area into another process 21->82 84 Switches to a custom stack to bypass stack traces 21->84 86 Found direct / indirect Syscall (likely to bypass EDR) 21->86 30 cmd.exe 4 21->30         started        88 System process connects to network (likely due to code injection or exploit) 26->88 90 Query firmware table information (likely to detect VMs) 26->90 process11 file12 48 C:\Users\user\AppData\Local\Temp\fmoe, PE32 30->48 dropped 96 Injects code into the Windows Explorer (explorer.exe) 30->96 98 Writes to foreign memory regions 30->98 100 Found hidden mapped module (file has been removed from disk) 30->100 102 2 other signatures 30->102 34 explorer.exe 5 30->34         started        38 conhost.exe 30->38         started        signatures13 process14 dnsIp15 60 185.183.32.103, 3333, 49720, 49721 WORLDSTREAMNL Netherlands 34->60 78 Query firmware table information (likely to detect VMs) 34->78 80 Switches to a custom stack to bypass stack traces 34->80 signatures16

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.