Edit tour

Windows Analysis Report
eF5TnJ6Frr.exe

Overview

General Information

Sample name:	eF5TnJ6Frr.exe renamed because original name is a hash value
Original sample name:	64c169c314628f2d39716e5df389ccf8.exe
Analysis ID:	1633095
MD5:	64c169c314628f2d39716e5df389ccf8
SHA1:	2407a5cf0c01766e6e3cf374209d6ed867b02f95
SHA256:	45038c6657b1e477152288793fa04a93cdca30145ea43781fde019ad7c2b385c
Tags:	exeSocks5Systemzuser-abuse_ch
Infos:

Detection

Socks5Systemz

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Socks5Systemz

Changes security center settings (notifications, updates, antivirus, firewall)

Contains functionality to infect the boot sector

Found API chain indicative of debugger detection

Joe Sandbox ML detected suspicious sample

PE file has a writeable .text section

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

System is w10x64

eF5TnJ6Frr.exe (PID: 8148 cmdline: "C:\Users\user\Desktop\eF5TnJ6Frr.exe" MD5: 64C169C314628F2D39716E5DF389CCF8)

eF5TnJ6Frr.tmp (PID: 8164 cmdline: "C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp" /SL5="$204A2,3382697,56832,C:\Users\user\Desktop\eF5TnJ6Frr.exe" MD5: DFA637091792C3F3724C581EC9F04892)

defragtoolspro.exe (PID: 8188 cmdline: "C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe" -i MD5: E5C9D0A8A16B10B0807C9ADE3B647EFA)

svchost.exe (PID: 7404 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

SgrmBroker.exe (PID: 7484 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)

svchost.exe (PID: 7524 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 7736 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 7752 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

MpCmdRun.exe (PID: 3368 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)

conhost.exe (PID: 7464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.2467069280.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security
00000002.00000002.2466991985.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security
Process Memory Space: defragtoolspro.exe PID: 8188	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security

Sigma Signatures

System Summary

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 7404, ProcessName: svchost.exe

Suricata Signatures

ET JA3 Hash - [Abuse.ch] Possible Dridex

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-09T20:00:15.548078+0100	2028765	3	Unknown Traffic	192.168.2.4	49721	176.113.115.96	443	TCP
2025-03-09T20:00:27.983544+0100	2028765	3	Unknown Traffic	192.168.2.4	49725	176.113.115.96	443	TCP
2025-03-09T20:00:40.407948+0100	2028765	3	Unknown Traffic	192.168.2.4	49728	176.113.115.96	443	TCP
2025-03-09T20:00:51.168105+0100	2028765	3	Unknown Traffic	192.168.2.4	49731	95.215.206.151	443	TCP
2025-03-09T20:00:54.025219+0100	2028765	3	Unknown Traffic	192.168.2.4	49732	95.215.206.151	443	TCP
2025-03-09T20:00:59.597620+0100	2028765	3	Unknown Traffic	192.168.2.4	49734	95.215.206.151	443	TCP
2025-03-09T20:01:03.420823+0100	2028765	3	Unknown Traffic	192.168.2.4	49735	95.215.206.151	443	TCP
2025-03-09T20:01:06.159254+0100	2028765	3	Unknown Traffic	192.168.2.4	49736	95.215.206.151	443	TCP
2025-03-09T20:01:09.022061+0100	2028765	3	Unknown Traffic	192.168.2.4	49737	95.215.206.151	443	TCP
2025-03-09T20:01:12.226597+0100	2028765	3	Unknown Traffic	192.168.2.4	49738	95.215.206.151	443	TCP
2025-03-09T20:01:15.041516+0100	2028765	3	Unknown Traffic	192.168.2.4	49739	95.215.206.151	443	TCP
2025-03-09T20:01:17.928737+0100	2028765	3	Unknown Traffic	192.168.2.4	49740	95.215.206.151	443	TCP
2025-03-09T20:01:20.808335+0100	2028765	3	Unknown Traffic	192.168.2.4	49741	95.215.206.151	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-09T20:00:51.870868+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49731	95.215.206.151	443	TCP
2025-03-09T20:00:54.736286+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49732	95.215.206.151	443	TCP
2025-03-09T20:01:00.294440+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49734	95.215.206.151	443	TCP
2025-03-09T20:01:04.109614+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49735	95.215.206.151	443	TCP
2025-03-09T20:01:06.882504+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49736	95.215.206.151	443	TCP
2025-03-09T20:01:09.809939+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49737	95.215.206.151	443	TCP
2025-03-09T20:01:12.943779+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49738	95.215.206.151	443	TCP
2025-03-09T20:01:15.740720+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49739	95.215.206.151	443	TCP
2025-03-09T20:01:18.621542+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49740	95.215.206.151	443	TCP
2025-03-09T20:01:21.514843+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49741	95.215.206.151	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://95.215.206.151/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb389926d19fe6595cd66946951e91fcd85210	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb387926d19fe6595cd66946951e91fcd85210	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f842a1cec7a86d87bdb6546ad12dac02909e811d61329366be8eb43a8ec4cdb8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949cc7432f1dc0e	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f862a1cec7a86d87bdb6546ad12dac02909e811d61329366be8eb43a8ec4cdb8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949cc7432f1dc0e	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f852a1cec7a86d87bdb6546ad12dac02909e811d61329366be8eb43a8ec4cdb8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949cc7432f1dc0e	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb386926d19fe6595cd66946951e91fcd85210	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38a926d19fe6595cd66946851e91fcd85241	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f872a1cec7a86d87bdb6546ad12dac02909e811d61329366be8eb43a8ec4cdb8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949cc7432f1dc0e	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb388926d19fe6595cd66946951e91fcd85210	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38a926d19fe6595cd66946851e91fcd85241ab258d81329326be8ef43a8f51f8a95b5cd212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d4348dd1d6925549c1	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38b926d19fe6595cd66946851e91fcd85241	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f842a1cec7a86d87bdb6546ad12dac0290	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f872a1cec7a86d87bdb6546ad12dac0290	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f862a1cec7a86d87bdb6546ad12dac0290	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb386926d19fe6595cd66946951e91fcd85210ee31bd505672e26e5fd09b4a145c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4dcd763cf8d5	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb387926d19fe6595cd66946951e91fcd85210ee31bd505672e26e5fd09b4a145c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4dcd763cf8d5	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb389926d19fe6595cd66946951e91fcd85210ee31bd505672e26e5fd09b4a145c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4dcd763cf8d5	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f852a1cec7a86d87bdb6546ad12dac0290	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb388926d19fe6595cd66946951e91fcd85210ee31bd505672e26e5fd09b4a145c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4dcd763cf8d5	Avira URL Cloud: Label: malware
Source: https://95.215.206.151/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38b926d19fe6595cd66946851e91fcd85241ab258d81329326be8ef43a8f51f8a95b5cd212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d4348dd1d6925549c1	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Avira: detection malicious, Label: ADWARE/AVI.ICLoader.ysgvg
Source: C:\ProgramData\DefragToolsPro\DefragToolsPro.exe	Avira: detection malicious, Label: ADWARE/AVI.ICLoader.ysgvg

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\DefragToolsPro\DefragToolsPro.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	ReversingLabs: Detection: 39%

Multi AV Scanner detection for submitted file

Source: eF5TnJ6Frr.exe	Virustotal: Detection: 25%			Perma Link
Source: eF5TnJ6Frr.exe	ReversingLabs: Detection: 21%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_0045D230 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,	1_2_0045D230
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_0045D2E4 ArcFourCrypt,	1_2_0045D2E4
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_0045D2FC ArcFourCrypt,	1_2_0045D2FC
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_10001000 ISCryptGetVersion,	1_2_10001000
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_10001130 ArcFourCrypt,	1_2_10001130

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe

Unpacked PE file: 2.2.defragtoolspro.exe.400000.0.unpack

Source: eF5TnJ6Frr.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Defrag Tools Pro_is1

Jump to behavior

Source: unknown	HTTPS traffic detected: 95.215.206.151:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.215.206.151:443 -> 192.168.2.4:49732 version: TLS 1.2

Source: eF5TnJ6Frr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: msvcp100.i386.pdb source: is-J59BF.tmp.1.dr
Source:	Binary string: msvcr100.i386.pdb source: is-5NBFO.tmp.1.dr

Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_00452AD4 FindFirstFileA,GetLastError,	1_2_00452AD4
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_00475798 FindFirstFileA,FindNextFileA,FindClose,	1_2_00475798
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_0046417C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_0046417C
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_004645F8 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_004645F8
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_00462BF0 FindFirstFileA,FindNextFileA,FindClose,	1_2_00462BF0
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_00498FDC FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_00498FDC

Source: global traffic

TCP traffic: 192.168.2.4:49733 -> 45.93.20.230:2024

Source: Joe Sandbox View

IP Address: 176.113.115.96 176.113.115.96

Source: Joe Sandbox View

JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49721 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49741 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49734 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49738 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49736 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49732 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49737 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49728 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49725 -> 176.113.115.96:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49735 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49739 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49731 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49740 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49736 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49732 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49740 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49738 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49737 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49731 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49735 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49734 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49739 -> 95.215.206.151:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49741 -> 95.215.206.151:443

Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38a926d19fe6595cd66946851e91fcd85241ab258d81329326be8ef43a8f51f8a95b5cd212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d4348dd1d6925549c1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38b926d19fe6595cd66946851e91fcd85241ab258d81329326be8ef43a8f51f8a95b5cd212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d4348dd1d6925549c1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb388926d19fe6595cd66946951e91fcd85210ee31bd505672e26e5fd09b4a145c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4dcd763cf8d5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb389926d19fe6595cd66946951e91fcd85210ee31bd505672e26e5fd09b4a145c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4dcd763cf8d5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb386926d19fe6595cd66946951e91fcd85210ee31bd505672e26e5fd09b4a145c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4dcd763cf8d5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb387926d19fe6595cd66946951e91fcd85210ee31bd505672e26e5fd09b4a145c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4dcd763cf8d5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f842a1cec7a86d87bdb6546ad12dac02909e811d61329366be8eb43a8ec4cdb8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949cc7432f1dc0e HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f852a1cec7a86d87bdb6546ad12dac02909e811d61329366be8eb43a8ec4cdb8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949cc7432f1dc0e HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f862a1cec7a86d87bdb6546ad12dac02909e811d61329366be8eb43a8ec4cdb8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949cc7432f1dc0e HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f872a1cec7a86d87bdb6546ad12dac02909e811d61329366be8eb43a8ec4cdb8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949cc7432f1dc0e HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151

Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.96
Source: unknown	TCP traffic detected without corresponding DNS query: 95.215.206.151
Source: unknown	TCP traffic detected without corresponding DNS query: 95.215.206.151

Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe

Code function: 2_2_02CD2B95 WSASetLastError,WSARecv,WSASetLastError,select,

2_2_02CD2B95

Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38a926d19fe6595cd66946851e91fcd85241ab258d81329326be8ef43a8f51f8a95b5cd212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d4348dd1d6925549c1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38b926d19fe6595cd66946851e91fcd85241ab258d81329326be8ef43a8f51f8a95b5cd212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d4348dd1d6925549c1 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb388926d19fe6595cd66946951e91fcd85210ee31bd505672e26e5fd09b4a145c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4dcd763cf8d5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb389926d19fe6595cd66946951e91fcd85210ee31bd505672e26e5fd09b4a145c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4dcd763cf8d5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb386926d19fe6595cd66946951e91fcd85210ee31bd505672e26e5fd09b4a145c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4dcd763cf8d5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb387926d19fe6595cd66946951e91fcd85210ee31bd505672e26e5fd09b4a145c9c4e9976278d7f0449ad5f64dd7cc9f4badbff4c50d15918a5449d3323240976481d5d5905c4dcd763cf8d5 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f842a1cec7a86d87bdb6546ad12dac02909e811d61329366be8eb43a8ec4cdb8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949cc7432f1dc0e HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f852a1cec7a86d87bdb6546ad12dac02909e811d61329366be8eb43a8ec4cdb8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949cc7432f1dc0e HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f862a1cec7a86d87bdb6546ad12dac02909e811d61329366be8eb43a8ec4cdb8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949cc7432f1dc0e HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151
Source: global traffic	HTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f872a1cec7a86d87bdb6546ad12dac02909e811d61329366be8eb43a8ec4cdb8eec906920dff156d3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d3935949cc7432f1dc0e HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 95.215.206.151

Source: is-5LK4E.tmp.1.dr, is-1K3IJ.tmp.1.dr	String found in binary or memory: http://icu-project.org
Source: svchost.exe, 00000003.00000002.1364793231.0000021FE6013000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: eF5TnJ6Frr.tmp, eF5TnJ6Frr.tmp, 00000001.00000002.2464766278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, eF5TnJ6Frr.tmp.0.dr, is-NAA2F.tmp.1.dr	String found in binary or memory: http://www.innosetup.com/
Source: eF5TnJ6Frr.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: eF5TnJ6Frr.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: eF5TnJ6Frr.exe, 00000000.00000003.1223562867.0000000002350000.00000004.00001000.00020000.00000000.sdmp, eF5TnJ6Frr.exe, 00000000.00000003.1223695253.0000000002088000.00000004.00001000.00020000.00000000.sdmp, eF5TnJ6Frr.tmp, eF5TnJ6Frr.tmp, 00000001.00000002.2464766278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, eF5TnJ6Frr.tmp.0.dr, is-NAA2F.tmp.1.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: eF5TnJ6Frr.exe, 00000000.00000003.1223562867.0000000002350000.00000004.00001000.00020000.00000000.sdmp, eF5TnJ6Frr.exe, 00000000.00000003.1223695253.0000000002088000.00000004.00001000.00020000.00000000.sdmp, eF5TnJ6Frr.tmp, 00000001.00000002.2464766278.0000000000401000.00000020.00000001.01000000.00000004.sdmp, eF5TnJ6Frr.tmp.0.dr, is-NAA2F.tmp.1.dr	String found in binary or memory: http://www.remobjects.com/psU
Source: defragtoolspro.exe, 00000002.00000002.2465600216.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, defragtoolspro.exe, 00000002.00000003.2098151119.0000000003348000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/
Source: defragtoolspro.exe, 00000002.00000003.2098151119.0000000003348000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/-
Source: defragtoolspro.exe, 00000002.00000002.2465600216.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, defragtoolspro.exe, 00000002.00000003.2098168723.0000000000A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38c926d19fe6595cd66946851e91fcd85241
Source: defragtoolspro.exe, 00000002.00000002.2465600216.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, defragtoolspro.exe, 00000002.00000002.2467457722.0000000003340000.00000004.00000020.00020000.00000000.sdmp, defragtoolspro.exe, 00000002.00000003.2098168723.0000000000A45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38d926d19fe6595cd66946851e91fcd85241
Source: defragtoolspro.exe, 00000002.00000002.2465600216.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, defragtoolspro.exe, 00000002.00000003.2098168723.0000000000A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://176.113.115.96/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f926d19fe6595cd66946851e91fcd85241
Source: defragtoolspro.exe, 00000002.00000002.2467457722.000000000334D000.00000004.00000020.00020000.00000000.sdmp, defragtoolspro.exe, 00000002.00000002.2467457722.0000000003344000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.215.206.151/
Source: defragtoolspro.exe, 00000002.00000002.2467457722.0000000003388000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.215.206.151/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb386926d19fe6595cd66946951e91fcd85210
Source: defragtoolspro.exe, 00000002.00000002.2467457722.0000000003388000.00000004.00000020.00020000.00000000.sdmp, defragtoolspro.exe, 00000002.00000002.2467457722.0000000003344000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.215.206.151/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb387926d19fe6595cd66946951e91fcd85210
Source: defragtoolspro.exe, 00000002.00000002.2465600216.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.215.206.151/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb388926d19fe6595cd66946951e91fcd85210
Source: defragtoolspro.exe, 00000002.00000002.2467457722.0000000003388000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.215.206.151/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb389926d19fe6595cd66946951e91fcd85210
Source: defragtoolspro.exe, 00000002.00000002.2465600216.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp, defragtoolspro.exe, 00000002.00000002.2465600216.0000000000A45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.215.206.151/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38a926d19fe6595cd66946851e91fcd85241
Source: defragtoolspro.exe, 00000002.00000002.2467457722.0000000003388000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.215.206.151/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38b926d19fe6595cd66946851e91fcd85241
Source: defragtoolspro.exe, 00000002.00000002.2467457722.0000000003340000.00000004.00000020.00020000.00000000.sdmp, defragtoolspro.exe, 00000002.00000002.2467457722.0000000003388000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.215.206.151/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f842a1cec7a86d87bdb6546ad12dac0290
Source: defragtoolspro.exe, 00000002.00000002.2467457722.0000000003388000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.215.206.151/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f852a1cec7a86d87bdb6546ad12dac0290
Source: defragtoolspro.exe, 00000002.00000002.2467457722.000000000334D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.215.206.151/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f862a1cec7a86d87bdb6546ad12dac0290
Source: defragtoolspro.exe, 00000002.00000002.2467457722.000000000334D000.00000004.00000020.00020000.00000000.sdmp, defragtoolspro.exe, 00000002.00000002.2465600216.0000000000A0E000.00000004.00000020.00020000.00000000.sdmp, defragtoolspro.exe, 00000002.00000002.2467457722.0000000003344000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.215.206.151/ai/?key=8f3f2b3ab14e166f251de6a5231678fbb38f872a1cec7a86d87bdb6546ad12dac0290
Source: defragtoolspro.exe, 00000002.00000002.2465600216.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.215.206.151/en-GB
Source: defragtoolspro.exe, 00000002.00000002.2465600216.0000000000A2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.215.206.151/en-US
Source: defragtoolspro.exe, 00000002.00000002.2467457722.000000000334D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.215.206.151/icies
Source: defragtoolspro.exe, 00000002.00000002.2467457722.000000000334D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.215.206.151/rosoft
Source: svchost.exe, 00000003.00000003.1364372767.0000021FE6058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000003.00000003.1364372767.0000021FE6058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364864148.0000021FE6059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000003.00000003.1364294790.0000021FE6062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364429472.0000021FE6041000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364207406.0000021FE606E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364350172.0000021FE605E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364407060.0000021FE605A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364372767.0000021FE6058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364837454.0000021FE6042000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364929038.0000021FE6063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364956812.0000021FE6070000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000003.00000003.1364207406.0000021FE606E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364956812.0000021FE6070000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000003.00000003.1364372767.0000021FE6058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000003.00000002.1364943247.0000021FE6068000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364281984.0000021FE6067000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000003.00000003.1364094531.0000021FE6075000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364971379.0000021FE6077000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000003.00000003.1364372767.0000021FE6058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000003.00000003.1364294790.0000021FE6062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364407060.0000021FE605A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364372767.0000021FE6058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364929038.0000021FE6063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364810207.0000021FE602B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000003.00000003.1364372767.0000021FE6058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000003.00000002.1364943247.0000021FE6068000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364281984.0000021FE6067000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364810207.0000021FE602B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000003.00000003.1364372767.0000021FE6058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000003.00000003.1364372767.0000021FE6058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000003.00000003.1364372767.0000021FE6058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000003.00000003.1364294790.0000021FE6062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364929038.0000021FE6063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364810207.0000021FE602B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000003.00000003.1364429472.0000021FE6041000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364837454.0000021FE6042000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000003.00000003.1364372767.0000021FE6058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000003.00000003.1364294790.0000021FE6062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364929038.0000021FE6063000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000003.00000002.1364837454.0000021FE6042000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364929038.0000021FE6063000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000003.00000002.1364837454.0000021FE6042000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000003.00000003.1364294790.0000021FE6062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364929038.0000021FE6063000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000003.00000003.1364429472.0000021FE6041000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364837454.0000021FE6042000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000003.00000002.1364956812.0000021FE6070000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000003.00000003.1364372767.0000021FE6058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000003.00000002.1364943247.0000021FE6068000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1364281984.0000021FE6067000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364810207.0000021FE602B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000003.00000003.1364429472.0000021FE6041000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000003.00000002.1364837454.0000021FE6042000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000003.00000002.1364837454.0000021FE6042000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364864148.0000021FE6059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000003.00000002.1364810207.0000021FE602B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000003.00000003.1364372767.0000021FE6058000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000003.00000003.1364372767.0000021FE6058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1364864148.0000021FE6059000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: eF5TnJ6Frr.exe, 00000000.00000003.1223280972.0000000002081000.00000004.00001000.00020000.00000000.sdmp, eF5TnJ6Frr.exe, 00000000.00000003.1223217091.0000000002350000.00000004.00001000.00020000.00000000.sdmp, eF5TnJ6Frr.exe, 00000000.00000002.2465460091.0000000002081000.00000004.00001000.00020000.00000000.sdmp, eF5TnJ6Frr.tmp, 00000001.00000003.1224931810.0000000003130000.00000004.00001000.00020000.00000000.sdmp, eF5TnJ6Frr.tmp, 00000001.00000003.1224993868.0000000002258000.00000004.00001000.00020000.00000000.sdmp, eF5TnJ6Frr.tmp, 00000001.00000002.2465767756.000000000064E000.00000004.00000020.00020000.00000000.sdmp, eF5TnJ6Frr.tmp, 00000001.00000002.2466455866.0000000002258000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.easycutstudio.com/support.html

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 95.215.206.151:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.215.206.151:443 -> 192.168.2.4:49732 version: TLS 1.2

System Summary

PE file has a writeable .text section

Source: defragtoolspro.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: DefragToolsPro.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_0042F594 NtdllDefWindowProc_A,	1_2_0042F594
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_00423B94 NtdllDefWindowProc_A,	1_2_00423B94
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_004125E8 NtdllDefWindowProc_A,	1_2_004125E8
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_00479380 NtdllDefWindowProc_A,	1_2_00479380
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_0045763C PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,	1_2_0045763C

Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp

Code function: 1_2_0042E944: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,

1_2_0042E944

Source: C:\Users\user\Desktop\eF5TnJ6Frr.exe	Code function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_0045568C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_0045568C

Source: C:\Users\user\Desktop\eF5TnJ6Frr.exe	Code function: 0_2_0040840C	0_2_0040840C
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_00470C74	1_2_00470C74
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_0043533C	1_2_0043533C
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_004813C4	1_2_004813C4
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_00467848	1_2_00467848
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_004303D0	1_2_004303D0
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_0044453C	1_2_0044453C
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_004885E0	1_2_004885E0
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_00434638	1_2_00434638
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_00444AE4	1_2_00444AE4
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_0048ED0C	1_2_0048ED0C
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_00430F5C	1_2_00430F5C
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_0045F16C	1_2_0045F16C
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_004451DC	1_2_004451DC
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_0045B21C	1_2_0045B21C
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_004455E8	1_2_004455E8
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_00487680	1_2_00487680
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_0046989C	1_2_0046989C
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_00451A30	1_2_00451A30
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_0043DDC4	1_2_0043DDC4
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_00401000	2_2_00401000
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_004067B7	2_2_004067B7
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_609660FA	2_2_609660FA
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6092114F	2_2_6092114F
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6091F2C9	2_2_6091F2C9
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6096923E	2_2_6096923E
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6093323D	2_2_6093323D
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6095C314	2_2_6095C314
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_60950312	2_2_60950312
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6094D33B	2_2_6094D33B
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6093B368	2_2_6093B368
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6096748C	2_2_6096748C
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6093F42E	2_2_6093F42E
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_60954470	2_2_60954470
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_609615FA	2_2_609615FA
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6096A5EE	2_2_6096A5EE
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6096D6A4	2_2_6096D6A4
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_609606A8	2_2_609606A8
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_60932654	2_2_60932654
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_60955665	2_2_60955665
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6094B7DB	2_2_6094B7DB
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6092F74D	2_2_6092F74D
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_60964807	2_2_60964807
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6094E9BC	2_2_6094E9BC
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_60937929	2_2_60937929
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6093FAD6	2_2_6093FAD6
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6096DAE8	2_2_6096DAE8
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6094DA3A	2_2_6094DA3A
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_60936B27	2_2_60936B27
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_60954CF6	2_2_60954CF6
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_60950C6B	2_2_60950C6B
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_60966DF1	2_2_60966DF1
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_60963D35	2_2_60963D35
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_60909E9C	2_2_60909E9C
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_60951E86	2_2_60951E86
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_60912E0B	2_2_60912E0B
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_60954FF8	2_2_60954FF8
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_02CEBAED	2_2_02CEBAED
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_02CF2A70	2_2_02CF2A70
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_02CED31F	2_2_02CED31F
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_02CE70B0	2_2_02CE70B0
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_02CDE071	2_2_02CDE071
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_02CF266D	2_2_02CF266D
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_02CEBF05	2_2_02CEBF05
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_02CE873A	2_2_02CE873A
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_02CEB5F9	2_2_02CEB5F9
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_02CF0DA4	2_2_02CF0DA4

Source: Joe Sandbox View	Dropped File: C:\ProgramData\DefragToolsPro\sqlite3.dll 16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\Qt5Concurrent.dll (copy) 32B0ACDF551507B4A8B9BD0467BEFDC2539C776E3F48221F0B577499F6EAE616

Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: String function: 00408C1C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: String function: 00406AD4 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: String function: 0040596C appears 117 times
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: String function: 00407904 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: String function: 00403400 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: String function: 00445E48 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: String function: 00457FC4 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: String function: 00457DB8 appears 102 times
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: String function: 00434550 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: String function: 00403494 appears 85 times
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: String function: 004533B8 appears 98 times
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: String function: 00446118 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: String function: 00403684 appears 229 times
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: String function: 02CE7750 appears 32 times
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: String function: 02CF2A00 appears 136 times

Source: eF5TnJ6Frr.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: eF5TnJ6Frr.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: eF5TnJ6Frr.tmp.0.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-NAA2F.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-NAA2F.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-NAA2F.tmp.1.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped

Source: is-MBT7C.tmp.1.dr	Static PE information: Number of sections : 19 > 10
Source: sqlite3.dll.2.dr	Static PE information: Number of sections : 19 > 10

Source: eF5TnJ6Frr.exe, 00000000.00000003.1223562867.0000000002350000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs eF5TnJ6Frr.exe
Source: eF5TnJ6Frr.exe, 00000000.00000003.1223695253.0000000002088000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs eF5TnJ6Frr.exe

Source: eF5TnJ6Frr.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal100.troj.evad.winEXE@13/33@0/3

Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe

Code function: 2_2_02CDF8C0 _memset,FormatMessageA,GetLastError,FormatMessageA,GetLastError,

2_2_02CDF8C0

Source: C:\Users\user\Desktop\eF5TnJ6Frr.exe	Code function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_0045568C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_0045568C

Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp

Code function: 1_2_00455EB4 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,

1_2_00455EB4

Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe

Code function: CreateServiceA,CloseServiceHandle,CloseServiceHandle,

2_2_0040D474

Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp

Code function: 1_2_0046E5B8 GetVersion,CoCreateInstance,

1_2_0046E5B8

Source: C:\Users\user\Desktop\eF5TnJ6Frr.exe

Code function: 0_2_00409C34 FindResourceA,SizeofResource,LoadResource,LockResource,

0_2_00409C34

Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe

Code function: 2_2_004023BA StartServiceCtrlDispatcherA,lstrcmpiW,

2_2_004023BA

Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_004023BA StartServiceCtrlDispatcherA,lstrcmpiW,		2_2_004023BA
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_00401B90 StartServiceCtrlDispatcherA,		2_2_00401B90

Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \BaseNamedObjects\Local\SM0:7464:120:WilError_03

Source: C:\Users\user\Desktop\eF5TnJ6Frr.exe

File created: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\eF5TnJ6Frr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: defragtoolspro.exe, defragtoolspro.exe, 00000002.00000002.2467969881.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, defragtoolspro.exe, 00000002.00000003.1244611693.000000000096F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.2.dr, is-MBT7C.tmp.1.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: defragtoolspro.exe, 00000002.00000002.2467969881.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, defragtoolspro.exe, 00000002.00000003.1244611693.000000000096F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.2.dr, is-MBT7C.tmp.1.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: defragtoolspro.exe, defragtoolspro.exe, 00000002.00000002.2467969881.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, defragtoolspro.exe, 00000002.00000003.1244611693.000000000096F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.2.dr, is-MBT7C.tmp.1.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: defragtoolspro.exe, 00000002.00000002.2467969881.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, defragtoolspro.exe, 00000002.00000003.1244611693.000000000096F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.2.dr, is-MBT7C.tmp.1.dr	Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: defragtoolspro.exe, 00000002.00000002.2467969881.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, defragtoolspro.exe, 00000002.00000003.1244611693.000000000096F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.2.dr, is-MBT7C.tmp.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: defragtoolspro.exe, 00000002.00000002.2467969881.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, defragtoolspro.exe, 00000002.00000003.1244611693.000000000096F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.2.dr, is-MBT7C.tmp.1.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: defragtoolspro.exe, 00000002.00000002.2467969881.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, defragtoolspro.exe, 00000002.00000003.1244611693.000000000096F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.2.dr, is-MBT7C.tmp.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: defragtoolspro.exe, 00000002.00000002.2467969881.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, defragtoolspro.exe, 00000002.00000003.1244611693.000000000096F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.2.dr, is-MBT7C.tmp.1.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: defragtoolspro.exe, 00000002.00000002.2467969881.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, defragtoolspro.exe, 00000002.00000003.1244611693.000000000096F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.2.dr, is-MBT7C.tmp.1.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: defragtoolspro.exe, 00000002.00000002.2467969881.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, defragtoolspro.exe, 00000002.00000003.1244611693.000000000096F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.2.dr, is-MBT7C.tmp.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: defragtoolspro.exe, 00000002.00000002.2467969881.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, defragtoolspro.exe, 00000002.00000003.1244611693.000000000096F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.2.dr, is-MBT7C.tmp.1.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: defragtoolspro.exe, defragtoolspro.exe, 00000002.00000002.2467969881.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, defragtoolspro.exe, 00000002.00000003.1244611693.000000000096F000.00000004.00000020.00020000.00000000.sdmp, sqlite3.dll.2.dr, is-MBT7C.tmp.1.dr	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: eF5TnJ6Frr.exe	Virustotal: Detection: 25%
Source: eF5TnJ6Frr.exe	ReversingLabs: Detection: 21%

Source: eF5TnJ6Frr.exe	String found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
Source: eF5TnJ6Frr.exe	String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\eF5TnJ6Frr.exe

File read: C:\Users\user\Desktop\eF5TnJ6Frr.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\eF5TnJ6Frr.exe "C:\Users\user\Desktop\eF5TnJ6Frr.exe"
Source: C:\Users\user\Desktop\eF5TnJ6Frr.exe	Process created: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp "C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp" /SL5="$204A2,3382697,56832,C:\Users\user\Desktop\eF5TnJ6Frr.exe"
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Process created: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe "C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe" -i
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\eF5TnJ6Frr.exe	Process created: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp "C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp" /SL5="$204A2,3382697,56832,C:\Users\user\Desktop\eF5TnJ6Frr.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Process created: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe "C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe" -i	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior

Source: C:\Users\user\Desktop\eF5TnJ6Frr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\eF5TnJ6Frr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Section loaded: sqlite3.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Defrag Tools Pro_is1

Jump to behavior

Source: eF5TnJ6Frr.exe

Static file information: File size 3633422 > 1048576

Source: eF5TnJ6Frr.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: msvcp100.i386.pdb source: is-J59BF.tmp.1.dr
Source:	Binary string: msvcr100.i386.pdb source: is-5NBFO.tmp.1.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe

Unpacked PE file: 2.2.defragtoolspro.exe.400000.0.unpack .text:EW;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe

Unpacked PE file: 2.2.defragtoolspro.exe.400000.0.unpack

Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp

Code function: 1_2_00450334 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00450334

Source: is-MBT7C.tmp.1.dr	Static PE information: section name: /4
Source: is-MBT7C.tmp.1.dr	Static PE information: section name: /19
Source: is-MBT7C.tmp.1.dr	Static PE information: section name: /35
Source: is-MBT7C.tmp.1.dr	Static PE information: section name: /51
Source: is-MBT7C.tmp.1.dr	Static PE information: section name: /63
Source: is-MBT7C.tmp.1.dr	Static PE information: section name: /77
Source: is-MBT7C.tmp.1.dr	Static PE information: section name: /89
Source: is-MBT7C.tmp.1.dr	Static PE information: section name: /102
Source: is-MBT7C.tmp.1.dr	Static PE information: section name: /113
Source: is-MBT7C.tmp.1.dr	Static PE information: section name: /124
Source: sqlite3.dll.2.dr	Static PE information: section name: /4
Source: sqlite3.dll.2.dr	Static PE information: section name: /19
Source: sqlite3.dll.2.dr	Static PE information: section name: /35
Source: sqlite3.dll.2.dr	Static PE information: section name: /51
Source: sqlite3.dll.2.dr	Static PE information: section name: /63
Source: sqlite3.dll.2.dr	Static PE information: section name: /77
Source: sqlite3.dll.2.dr	Static PE information: section name: /89
Source: sqlite3.dll.2.dr	Static PE information: section name: /102
Source: sqlite3.dll.2.dr	Static PE information: section name: /113
Source: sqlite3.dll.2.dr	Static PE information: section name: /124

Source: C:\Users\user\Desktop\eF5TnJ6Frr.exe	Code function: 0_2_004065C8 push 00406605h; ret	0_2_004065FD
Source: C:\Users\user\Desktop\eF5TnJ6Frr.exe	Code function: 0_2_004040B5 push eax; ret	0_2_004040F1
Source: C:\Users\user\Desktop\eF5TnJ6Frr.exe	Code function: 0_2_00408104 push ecx; mov dword ptr [esp], eax	0_2_00408109
Source: C:\Users\user\Desktop\eF5TnJ6Frr.exe	Code function: 0_2_00404185 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\eF5TnJ6Frr.exe	Code function: 0_2_00404206 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\eF5TnJ6Frr.exe	Code function: 0_2_0040C218 push eax; ret	0_2_0040C219
Source: C:\Users\user\Desktop\eF5TnJ6Frr.exe	Code function: 0_2_004042E8 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\eF5TnJ6Frr.exe	Code function: 0_2_00404283 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\eF5TnJ6Frr.exe	Code function: 0_2_00408F38 push 00408F6Bh; ret	0_2_00408F63
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_004849F4 push 00484B02h; ret	1_2_00484AFA
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_0040995C push 00409999h; ret	1_2_00409991
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_00458060 push 00458098h; ret	1_2_00458090
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_004860E4 push ecx; mov dword ptr [esp], ecx	1_2_004860E9
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_004062C4 push ecx; mov dword ptr [esp], eax	1_2_004062C5
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_004783C8 push ecx; mov dword ptr [esp], edx	1_2_004783C9
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_004104F0 push ecx; mov dword ptr [esp], edx	1_2_004104F5
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_00412938 push 0041299Bh; ret	1_2_00412993
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_0049AD44 pushad ; retf	1_2_0049AD53
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_0040CE48 push ecx; mov dword ptr [esp], edx	1_2_0040CE4A
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_00459378 push 004593BCh; ret	1_2_004593B4
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_0040F3A8 push ecx; mov dword ptr [esp], edx	1_2_0040F3AA
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_0040546D push eax; ret	1_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_004434B4 push ecx; mov dword ptr [esp], ecx	1_2_004434B8
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_0040553D push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_004055BE push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_0040563B push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_004056A0 push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_0045186C push 0045189Fh; ret	1_2_00451897
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_00451A30 push ecx; mov dword ptr [esp], eax	1_2_00451A35
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_00495BE4 push ecx; mov dword ptr [esp], ecx	1_2_00495BE9
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_00419C38 push ecx; mov dword ptr [esp], ecx	1_2_00419C3D

Source: is-5NBFO.tmp.1.dr

Static PE information: section name: .text entropy: 6.90903234258047

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe

Code function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive0

2_2_02CDE89A

Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	File created: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\is-O4E0F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	File created: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\is-5LK4E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	File created: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\is-J59BF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	File created: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\is-1K3IJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	File created: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\libGLESv2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	File created: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\icuuc51.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	File created: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\is-MBT7C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	File created: C:\Users\user\AppData\Local\Temp\is-H295N.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	File created: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\is-IP43T.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	File created: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\Qt5PrintSupport.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	File created: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\is-Q018O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	File created: C:\ProgramData\DefragToolsPro\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	File created: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\icuin51.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	File created: C:\ProgramData\DefragToolsPro\DefragToolsPro.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	File created: C:\Users\user\AppData\Local\Temp\is-H295N.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\eF5TnJ6Frr.exe	File created: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	File created: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\Qt5Concurrent.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	File created: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	File created: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	File created: C:\Users\user\AppData\Local\Temp\is-H295N.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	File created: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\uninstall\is-NAA2F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	File created: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\msvcp100.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	File created: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\libEGL.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	File created: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\uninstall\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	File created: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\is-8QM7V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	File created: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\msvcr100.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	File created: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\is-5NBFO.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	File created: C:\ProgramData\DefragToolsPro\DefragToolsPro.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	File created: C:\ProgramData\DefragToolsPro\sqlite3.dll			Jump to dropped file

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe

Code function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive0

2_2_02CDE89A

Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe

Code function: 2_2_004023BA StartServiceCtrlDispatcherA,lstrcmpiW,

2_2_004023BA

Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_00423C1C
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_00423C1C
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_004241EC IsIconic,SetActiveWindow,SetFocus,	1_2_004241EC
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_004241A4 IsIconic,SetActiveWindow,	1_2_004241A4
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_00418394 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	1_2_00418394
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_004843A8 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,	1_2_004843A8
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_0042286C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	1_2_0042286C
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_0042F2F0 IsIconic,GetWindowLongA,GetWindowLongA,GetActiveWindow,MessageBoxA,SetActiveWindow,GetActiveWindow,MessageBoxA,SetActiveWindow,	1_2_0042F2F0
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_004175A8 IsIconic,GetCapture,	1_2_004175A8
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_00417CDE IsIconic,SetWindowPos,	1_2_00417CDE
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_00417CE0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	1_2_00417CE0

Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp

Code function: 1_2_0041F128 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

1_2_0041F128

Source: C:\Users\user\Desktop\eF5TnJ6Frr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe

Code function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,

2_2_02CDE99E

Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Window / User API: threadDelayed 2120			Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Window / User API: threadDelayed 7834			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\is-O4E0F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-H295N.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\is-5LK4E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\is-J59BF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\Qt5Concurrent.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\is-1K3IJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\libGLESv2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-H295N.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\icuuc51.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\uninstall\is-NAA2F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\msvcp100.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\is-IP43T.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-H295N.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\is-MBT7C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\libEGL.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\Qt5PrintSupport.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\is-Q018O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\uninstall\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\is-8QM7V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\msvcr100.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\is-5NBFO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\icuin51.dll (copy)	Jump to dropped file

Source: C:\Users\user\Desktop\eF5TnJ6Frr.exe

Evasive API call chain: GetSystemTime,DecisionNodes

graph_0-5967

Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_2-61440

Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe

API coverage: 4.8 %

Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe TID: 6928	Thread sleep count: 2120 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe TID: 6928	Thread sleep time: -4240000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe TID: 7880	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe TID: 6928	Thread sleep count: 7834 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe TID: 6928	Thread sleep time: -15668000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe

Code function: 2_2_004023DD GetLocalTime followed by cmp: cmp dword ptr [ebp-0000011ch], 01h and CTI: jbe 00401B90h

2_2_004023DD

Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_00452AD4 FindFirstFileA,GetLastError,	1_2_00452AD4
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_00475798 FindFirstFileA,FindNextFileA,FindClose,	1_2_00475798
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_0046417C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_0046417C
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_004645F8 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_004645F8
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_00462BF0 FindFirstFileA,FindNextFileA,FindClose,	1_2_00462BF0
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: 1_2_00498FDC FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_00498FDC

Source: C:\Users\user\Desktop\eF5TnJ6Frr.exe

Code function: 0_2_00409B78 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

0_2_00409B78

Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: svchost.exe, 00000006.00000002.2465691141.0000022F8944B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000006.00000002.2465561463.0000022F8942B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000006.00000002.2465561463.0000022F8942B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: svchost.exe, 00000006.00000002.2465691141.0000022F8944B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: defragtoolspro.exe, 00000002.00000002.2465600216.0000000000A45000.00000004.00000020.00020000.00000000.sdmp, defragtoolspro.exe, 00000002.00000002.2465600216.0000000000958000.00000004.00000020.00020000.00000000.sdmp, defragtoolspro.exe, 00000002.00000003.2098168723.0000000000A45000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000006.00000002.2465331999.0000022F89402000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: svchost.exe, 00000006.00000002.2466072634.0000022F89502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000006.00000002.2465691141.0000022F8944B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000006.00000002.2465862847.0000022F89464000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000

Source: C:\Users\user\Desktop\eF5TnJ6Frr.exe	API call chain: ExitProcess graph end node			graph_0-6764
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	API call chain: ExitProcess graph end node			graph_2-61159

Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

graph_2-61336

Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe

Code function: 2_2_02CE80F0 IsDebuggerPresent,

2_2_02CE80F0

Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe

Code function: 2_2_02CEE6AE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

2_2_02CEE6AE

Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp

Code function: 1_2_00450334 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00450334

Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe

Code function: 2_2_02CD5E41 RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_memset,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,_memset,_memset,_memset,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,_memset,_memset,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,

2_2_02CD5E41

Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe

Code function: 2_2_02CE80DA SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_02CE80DA

Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp

Code function: 1_2_00478DC4 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

1_2_00478DC4

Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp

Code function: 1_2_0042EE28 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,

1_2_0042EE28

Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp

Code function: 1_2_0042E0AC AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,

1_2_0042E0AC

Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe

Code function: 2_2_02CDE852 cpuid

2_2_02CDE852

Source: C:\Users\user\Desktop\eF5TnJ6Frr.exe	Code function: GetLocaleInfoA,	0_2_0040520C
Source: C:\Users\user\Desktop\eF5TnJ6Frr.exe	Code function: GetLocaleInfoA,	0_2_00405258
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: GetLocaleInfoA,	1_2_00408578
Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp	Code function: GetLocaleInfoA,	1_2_004085C4

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp

Code function: 1_2_00458670 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,

1_2_00458670

Source: C:\Users\user\Desktop\eF5TnJ6Frr.exe

Code function: 0_2_004026C4 GetSystemTime,

0_2_004026C4

Source: C:\Users\user\AppData\Local\Temp\is-OE1VH.tmp\eF5TnJ6Frr.tmp

Code function: 1_2_00455644 GetUserNameA,

1_2_00455644

Source: C:\Users\user\Desktop\eF5TnJ6Frr.exe

Code function: 0_2_00405CF4 GetVersionExA,

0_2_00405CF4

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Source: svchost.exe, 00000007.00000002.2466606917.00000210B7702000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000007.00000002.2466606917.00000210B7702000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected Socks5Systemz

Source: Yara match	File source: 00000002.00000002.2467069280.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2466991985.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: defragtoolspro.exe PID: 8188, type: MEMORYSTR

Remote Access Functionality

Yara detected Socks5Systemz

Source: Yara match	File source: 00000002.00000002.2467069280.0000000002CD1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2466991985.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: defragtoolspro.exe PID: 8188, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_609660FA sqlite3_finalize,sqlite3_free,sqlite3_value_numeric_type,sqlite3_value_numeric_type,sqlite3_value_text,sqlite3_value_int,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_mprintf,sqlite3_malloc,sqlite3_free,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,	2_2_609660FA
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6090C1D6 sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave,	2_2_6090C1D6
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_60963143 sqlite3_stricmp,sqlite3_bind_int64,sqlite3_mutex_leave,	2_2_60963143
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6096A2BD sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,	2_2_6096A2BD
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6096923E sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_malloc,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_realloc,sqlite3_realloc,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,	2_2_6096923E
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6096A38C sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,	2_2_6096A38C
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6096748C sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_reset,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_bind_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_reset,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_realloc,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,	2_2_6096748C
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_609254B1 sqlite3_bind_zeroblob,sqlite3_mutex_leave,	2_2_609254B1
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6094B407 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	2_2_6094B407
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6090F435 sqlite3_bind_parameter_index,	2_2_6090F435
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_609255D4 sqlite3_mutex_leave,sqlite3_bind_text16,	2_2_609255D4
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_609255FF sqlite3_bind_text,	2_2_609255FF
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6096A5EE sqlite3_value_text,sqlite3_value_bytes,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_malloc,sqlite3_column_int,sqlite3_column_int64,sqlite3_column_text,sqlite3_column_bytes,sqlite3_finalize,sqlite3_step,sqlite3_free,sqlite3_finalize,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_column_int64,sqlite3_column_int,sqlite3_column_text,sqlite3_column_bytes,sqlite3_step,sqlite3_finalize,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_malloc,sqlite3_bind_null,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_value_text,sqlite3_value_bytes,sqlite3_free,	2_2_6096A5EE
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6094B54C sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,memmove,	2_2_6094B54C
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_60925686 sqlite3_bind_int64,sqlite3_mutex_leave,	2_2_60925686
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6094A6C5 sqlite3_bind_int64,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_malloc,sqlite3_reset,sqlite3_free,	2_2_6094A6C5
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_609256E5 sqlite3_bind_int,sqlite3_bind_int64,	2_2_609256E5
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6094B6ED sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,	2_2_6094B6ED
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6092562A sqlite3_bind_blob,	2_2_6092562A
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_60925655 sqlite3_bind_null,sqlite3_mutex_leave,	2_2_60925655
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6094C64A sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,	2_2_6094C64A
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_609687A7 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_column_int64,sqlite3_reset,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,	2_2_609687A7
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6095F7F7 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,	2_2_6095F7F7
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6092570B sqlite3_bind_double,sqlite3_mutex_leave,	2_2_6092570B
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6095F772 sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,	2_2_6095F772
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_60925778 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob,	2_2_60925778
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6090577D sqlite3_bind_parameter_name,	2_2_6090577D
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6094B764 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,	2_2_6094B764
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6090576B sqlite3_bind_parameter_count,	2_2_6090576B
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6094A894 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,	2_2_6094A894
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6095F883 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,	2_2_6095F883
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6094C8C2 sqlite3_value_int,sqlite3_value_int,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_null,sqlite3_bind_null,sqlite3_step,sqlite3_reset,	2_2_6094C8C2
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6096281E sqlite3_mprintf,sqlite3_vtab_config,sqlite3_malloc,sqlite3_mprintf,sqlite3_mprintf,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_exec,sqlite3_free,sqlite3_prepare_v2,sqlite3_bind_text,sqlite3_step,sqlite3_column_int64,sqlite3_finalize,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_errmsg,sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_free,sqlite3_declare_vtab,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,	2_2_6096281E
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6096583A memcmp,sqlite3_realloc,qsort,sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_step,sqlite3_reset,	2_2_6096583A
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6095F9AD sqlite3_bind_int,sqlite3_step,sqlite3_column_type,sqlite3_reset,	2_2_6095F9AD
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6094A92B sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,	2_2_6094A92B
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6090EAE5 sqlite3_transfer_bindings,	2_2_6090EAE5
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6095FB98 sqlite3_value_int,sqlite3_bind_int,sqlite3_bind_value,sqlite3_step,sqlite3_reset,	2_2_6095FB98
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6095ECA6 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,	2_2_6095ECA6
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6095FCCE sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,	2_2_6095FCCE
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6095FDAE sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,	2_2_6095FDAE
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_60966DF1 sqlite3_value_text,sqlite3_mprintf,sqlite3_free,strcmp,sqlite3_free,sqlite3_malloc,sqlite3_bind_int64,sqlite3_step,sqlite3_column_type,sqlite3_reset,sqlite3_column_blob,sqlite3_reset,sqlite3_malloc,sqlite3_free,sqlite3_reset,sqlite3_result_error_code,sqlite3_result_blob,	2_2_60966DF1
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_60969D75 sqlite3_bind_int,sqlite3_step,sqlite3_column_int,sqlite3_reset,	2_2_60969D75
Source: C:\Users\user\AppData\Local\Defrag Tools Pro 11.3.1.910\defragtoolspro.exe	Code function: 2_2_6095FFB2 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,	2_2_6095FFB2

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	OS Credential Dumping	11 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	3 Native API	5 Windows Service	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Bootkit	1 Access Token Manipulation	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Service Execution	Login Hook	5 Windows Service	21 Software Packing	NTDS	46 System Information Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Process Injection	1 DLL Side-Loading	LSA Secrets	271 Security Software Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	131 Virtualization/Sandbox Evasion	DCSync	131 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Process Injection	/etc/passwd and /etc/shadow	3 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Bootkit	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report eF5TnJ6Frr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
eF5TnJ6Frr.exe