Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1634234
MD5:	6bbb3762b42f726dfc7c98e82828503e
SHA1:	c036fffa2a7868690b0d57b43be8a423f3bf402a
SHA256:	8485d594346a4e1f7130ff9df286d01aaed2fd1b3954dbfd99d2c32f2641dc4f
Tags:	exex64user-jstrosch
Infos:

Detection

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

.NET source code contains potential unpacker

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Creates autostart registry keys with suspicious names

Deletes itself after installation

Deletes shadow drive data (may be related to ransomware)

Joe Sandbox ML detected suspicious sample

May disable shadow drive data (uses vssadmin)

Modifies existing user documents (likely ransomware behavior)

PE file contains section with special chars

Queries Google from non browser process on port 80

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

file.exe (PID: 6828 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 6BBB3762B42F726DFC7C98E82828503E)

Sbch6_PQie2h8kt7tM0eSKEd.exe (PID: 7000 cmdline: "C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe" MD5: 36BC7900AEB9186913331E47B1E47246)

cmd.exe (PID: 2652 cmdline: "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

vssadmin.exe (PID: 5864 cmdline: vssadmin.exe delete shadows /all /quiet MD5: B58073DB8892B67A672906C9358020EC)

LYvfxvxpng9iFEWmTnu8xscn.exe (PID: 7016 cmdline: "C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe" MD5: 5108213812AC915AE36B32492B98D9D9)

LYvfxvxpng9iFEWmTnu8xscn.exe (PID: 5524 cmdline: "C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe" MD5: 5108213812AC915AE36B32492B98D9D9)

LYvfxvxpng9iFEWmTnu8xscn.exe (PID: 5424 cmdline: "C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe" MD5: 5108213812AC915AE36B32492B98D9D9)

cleanup

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\file.exe, ProcessId: 6828, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\08160137-600c-463b-a7d4-f9f06ed48688

Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities

Source: Process started

Author: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades): Data: Command: vssadmin.exe delete shadows /all /quiet, CommandLine: vssadmin.exe delete shadows /all /quiet, CommandLine|base64offset|contains: u^, Image: C:\Windows\System32\vssadmin.exe, NewProcessName: C:\Windows\System32\vssadmin.exe, OriginalFileName: C:\Windows\System32\vssadmin.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2652, ParentProcessName: cmd.exe, ProcessCommandLine: vssadmin.exe delete shadows /all /quiet, ProcessId: 5864, ProcessName: vssadmin.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\file.exe, ProcessId: 6828, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\08160137-600c-463b-a7d4-f9f06ed48688

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Source: file.exe	Virustotal: Detection: 52%			Perma Link
Source: file.exe	ReversingLabs: Detection: 52%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.9:49684 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.63.150:443 -> 192.168.2.9:49685 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.9:49686 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.63.150:443 -> 192.168.2.9:49687 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.63.150:443 -> 192.168.2.9:49696 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.9:49695 version: TLS 1.0

Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbl source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1078286045.0000000004448000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1064954660.0000000004411000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1068659881.00000000026B5000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1070080764.000000000444E000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1080003654.000000000444E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1087083558.0000000006ACD000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1079173197.0000000006AD2000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1088096115.0000000006AD2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errorrer source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1056139532.00000000047AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errorml source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1091477158.00000000068A6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1076593755.00000000068E8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1083871663.0000000004425000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1022589981.000000000266F000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1023011189.0000000002678000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\msedge_url_fetcher_5140_511505862\95653570-4a96-4019-96b6-27b027f2cb91.pdb= source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1091477158.00000000068A6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdbr3 Website_urlplica: source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1050185070.0000000002680000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1095624703.0000000006F6B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb' source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1088096115.0000000006B14000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errora source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1077903712.0000000005300000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1079396733.000000000530F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorG^LBB source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1085539704.000000000523B000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1079509005.0000000005237000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1078002079.0000000005237000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbdlt source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1088974110.00000000045AB000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1077173533.000000000458B000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1079288382.00000000045AB000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1084191881.00000000045AB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdbQb source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1050848647.0000000002648000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbr source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1091477158.00000000068A6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb3c-aff1-a69d9e530f96}[1].bmppplication Data\Application Data\Application Data\Microsoft\Office\16.0\excel.exe_Rules\rule10802v0.xml Dat source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1085304317.0000000002651000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1085145580.000000000264B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb3 source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1076593755.00000000068E8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1088513319.00000000057A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbxt source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1093074672.0000000005336000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\.curlrc.pdb, source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1077903712.0000000005300000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1079396733.000000000530F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdbg.lockisz{ source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1069138598.0000000005644000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1088513319.00000000057A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorock source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1056303599.0000000004747000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.json source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1084106190.000000000478B000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1077778512.000000000476B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errorp source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1092346915.000000000456B000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1084191881.000000000452C000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1095364256.000000000457B000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1083871663.00000000044CC000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1085620169.000000000456A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*ngs.datsLo source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1085304317.0000000002651000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1085145580.000000000264B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdblog source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1085539704.000000000523B000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1079509005.0000000005237000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1078002079.0000000005237000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\VirtualStore\*nload_prod.pdb source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1050848647.0000000002648000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error32.log. source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1088974110.00000000045AB000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1077173533.000000000458B000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1079288382.00000000045AB000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1084191881.00000000045AB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\*50698d5-282c-4c8d-9fa6-c155f2d8d379 source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1057046915.0000000002645000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1057450602.0000000002669000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\msedge_url_fetcher_5636_835662851\e8d11bd0-b939-446e-b741-2c68ed471a53.pdbs source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1077903712.0000000005300000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1079396733.000000000530F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errordat source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1069138598.0000000005644000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorplicaI source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1092346915.000000000456B000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1084191881.000000000452C000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1095364256.000000000457B000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1083871663.00000000044CC000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1085620169.000000000456A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errorArRx source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1069138598.0000000005644000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1055951067.00000000051F8000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1076699799.0000000006823000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb1 source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1088610458.0000000005648000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1092072069.0000000005670000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalStatetaData\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errorrer source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1069398526.00000000047C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1087083558.00000000069F3000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1077903712.0000000005300000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1094823712.0000000006A9D000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1079396733.000000000530F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errorxml source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1088974110.00000000045AB000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1093796865.00000000045AB000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1078286045.0000000004448000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1064954660.0000000004411000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1095364256.00000000045AB000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1084191881.00000000045AB000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1068659881.00000000026B5000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1070080764.000000000444E000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1080003654.000000000444E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdbers\tinR source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1092346915.000000000456B000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1084191881.000000000452C000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1095364256.000000000457B000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1083871663.00000000044CC000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1085620169.000000000456A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1095494031.0000000006DF4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbe source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1063837765.00000000055A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbn\| source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1056139532.00000000047AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb0?\| source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1088513319.00000000057A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1093074672.0000000005336000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\VirtualStore\*krnlmp.pdbw source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1015536864.0000000002669000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdbl' source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1078581090.000000000439A000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1064106878.000000000426D000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1056551202.000000000429C000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1070203663.000000000429B000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1078394498.000000000434A000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1057485100.0000000004370000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1057286968.000000000429C000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1071761113.0000000004370000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d.pdb65338661\01d00eb7-ae22-4601-b5b4-6bd76494c1055C-D source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1023046215.0000000002648000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error7>_H source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1087083558.0000000006ACD000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1079173197.0000000006AD2000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1088096115.0000000006AD2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdbockb[eWl source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1056303599.0000000004747000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errorsontedStrings.en-gb_RP-iR89BipE4i7ZOqiqEgQ2[1].jsffice\16.0\excel.exe_Rules\rule10882v0.xmloft\Nb'xg source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1085304317.0000000002651000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1085145580.000000000264B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdblnt source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1088974110.00000000045AB000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1093796865.00000000045AB000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1095364256.00000000045AB000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1084191881.00000000045AB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdbat source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1048566882.0000000004659000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errory9 source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1087083558.0000000006ACD000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1079173197.0000000006AD2000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1088096115.0000000006AD2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errort.LOG1 source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1049780927.00000000046D9000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1048523696.00000000046BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorj source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1088610458.0000000005648000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1092072069.0000000005670000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1064106878.000000000426D000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1079023877.0000000004370000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1056551202.000000000429C000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1070203663.000000000429B000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1076699799.0000000006823000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1078394498.000000000434A000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1057485100.0000000004370000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1048566882.0000000004659000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1057286968.000000000429C000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1071761113.0000000004370000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbp source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1095624703.0000000006F6B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1076593755.00000000068E8000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1056303599.0000000004747000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*05 10-15-18-157.log-3 source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1022589981.000000000266F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb5,6A source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1049780927.00000000046D9000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1048523696.00000000046BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1094001382.00000000047EA000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1076699799.0000000006864000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1083827592.00000000047CA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1087083558.00000000069F3000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1094823712.0000000006A9D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1095624703.0000000006F6B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1015536864.0000000002669000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\*empStatekkpplication Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056E source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1069398526.00000000047C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*ings.datta source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1056139532.00000000047AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\msedge_url_fetcher_5636_747471325\4643befd-79b8-4e0c-a2fb-c0e3ee78dcd5.pdb source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1091477158.00000000068A6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorB source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1087083558.00000000069F3000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1094823712.0000000006A9D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2b82 source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1057046915.0000000002645000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1057450602.0000000002669000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorcation- source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1077903712.0000000005300000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1079396733.000000000530F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error6r:te source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1055951067.00000000051F8000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Adobe\Acrobat\DC\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\.ms-ad\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\3D Objects\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Adobe\Acrobat\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Adobe\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then sub rsp, 38h	0_2_004228D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov qword ptr [rcx+08h], rdx	0_2_00423460
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then push rbx	0_2_00424C10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov r8, qword ptr [rdx+08h]	0_2_00422660
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then push rsi	0_2_0041E620
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov r8, qword ptr [r8]	0_2_0041F700
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then sub rsp, 38h	0_2_00422FB0

Networking

Queries Google from non browser process on port 80

Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	HTTP traffic: GET / HTTP/1.1 User-Agent: LX/1.0 Host: www.google.com Connection: Keep-Alive
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	HTTP traffic: GET / HTTP/1.1 User-Agent: LX/1.0 Host: www.google.com Connection: Keep-Alive
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	HTTP traffic: GET / HTTP/1.1 User-Agent: LX/1.0 Host: www.google.com Connection: Keep-Alive

Source: global traffic

TCP traffic: 192.168.2.9:61438 -> 1.1.1.1:53

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.21.63.150 104.21.63.150
Source: Joe Sandbox View	IP Address: 185.215.113.39 185.215.113.39

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

HTTP traffic detected: POST /krovb/api HTTP/1.1Content-Length: 2Accept-Encoding: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Content-Type: text/plainUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36Host: 185.215.113.39Accept-Language: ru-RU,ru;q=0.5,en-US;q=0.5Connection: close

Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.9:49684 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.63.150:443 -> 192.168.2.9:49685 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.9:49686 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.63.150:443 -> 192.168.2.9:49687 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.63.150:443 -> 192.168.2.9:49696 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.9:49695 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.39
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2tVwn7 HTTP/1.1User-Agent: LX/1.0Host: iplis.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2tVwn7 HTTP/1.1User-Agent: LX/1.0Host: iplis.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /2tVwn7 HTTP/1.1User-Agent: LX/1.0Host: iplis.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: LX/1.0Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: LX/1.0Host: www.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: LX/1.0Host: www.google.comConnection: Keep-Alive

Source: LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1145652670.00000000023E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: setTimeout(function(){google&&google.tick&&google.timers&&google.timers.load&&google.tick("load","xjspls");F();if(x\|\|z\|\|D){if(x){var a=function(){x=!1;G()};google.caft(a);window.setTimeout(a,amd)}z&&(a=function(){z=!1;G()},y.cbvi.push(a),window.setTimeout(a,mmd));D&&document.addEventListener("prerenderingchange",function(){D=!1;G()},{once:!0});if(B\|\|C)w\|\|g()}else A()},0);})();window._ = window._ \|\| {};window._DumpException = _._DumpException = function(e){throw e;};window._s = window._s \|\| {};_s._DumpException = _._DumpException;window._qs = window._qs \|\| {};_qs._DumpException = _._DumpException;(function(){var t=[6,16384,0,0,0,0,0,545423360,0,1048576,3883008,57019664,3008,2097220,4194305,0,0,268435744,2097152,134217760,536880062,284736,48128];window._F_toggles = window._xjs_toggles = t;})();window._F_installCss = window._F_installCss \|\| function(css){};(function(){google.jl={bfl:0,dw:false,ine:false,ubm:false,uwp:true,vs:false};})();(function(){var pmc='{\x22d\x22:{},\x22sb_he\x22:{\x22agen\x22:false,\x22cgen\x22:false,\x22client\x22:\x22heirloom-hp\x22,\x22dh\x22:true,\x22ds\x22:\x22\x22,\x22fl\x22:true,\x22host\x22:\x22google.com\x22,\x22jsonp\x22:true,\x22msgs\x22:{\x22cibl\x22:\x22Clear Search\x22,\x22dym\x22:\x22Did you mean:\x22,\x22lcky\x22:\x22I\\u0026#39;m Feeling Lucky\x22,\x22lml\x22:\x22Learn more\x22,\x22psrc\x22:\x22This search was removed from your \\u003Ca href\x3d\\\x22/history\\\x22\\u003EWeb History\\u003C/a\\u003E\x22,\x22psrl\x22:\x22Remove\x22,\x22sbit\x22:\x22Search by image\x22,\x22srch\x22:\x22Google Search\x22},\x22ovr\x22:{},\x22pq\x22:\x22\x22,\x22rfs\x22:[],\x22stok\x22:\x22dsgzsiilNqevcfg3OkWLquCMkec\x22}}';google.pmc=JSON.parse(pmc);})();</script> </body></html>.getElementById)if(typeof XMLHttpRequest!="undefined")b="2";else if(typeof ActiveXObject!="undefined"){var c,d,e=["MSXML2.XMLHTTP.6.0","MSXML2.XMLHTTP.3.0","MSXML2.XMLHTTP","Microsoft.XMLHTTP"];for(c=0;d=e[c++];)try{new ActiveXObject(d),b="2"}catch(h){}}a=b;if(a=="2"&&location.search.indexOf("&gbv=2")==-1){var f=google.gbvu,g=document.getElementById("gbv");g&&(g.value=a);f&&window.setTimeout(function(){location.href=f},0)};}).call(this);</script></form><div style="font-size:83%;min-height:3.5em"><br></div><span id="footer"><div style="font-size:10pt"><div style="margin:19px auto;text-align:center" id="WqQANb"><a href="/intl/en/ads/">Advertising</a><a href="/services/">Business Solutions</a><a href="/intl/en/about.html">About Google</a></div></div><p style="font-size:8pt;color:#70757a">© 2025 - <a href="/intl/en/policies/privacy/">Privacy</a> - <a href="/intl/en/policies/terms/">Terms</a></p></span></center><script nonce="dxnmo-q-bEU_N51x_EL-hA">(function(){window.google.cdo={height:757,width:1440};(function(){var a=window.innerWidth,b=window.innerHeight;if(!a\|\|!b){var c=window.document,d=c.compatMode=="CSS1Compat"?c.documentElement:c.body;a=d.clientWidth;b=d.clientHeight}if(a&&b&&(a!=google.cdo.width\|\|b!=google.cdo.height)){var e=google,f=e.log,g=
Source: LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1145652670.00000000023E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: })();</script><div id="mngb"><div id=gbar><nobr><b class=gb1>Search</b> <a class=gb1 href="https://www.google.com/imghp?hl=en&tab=wi">Images</a> <a class=gb1 href="http://maps.google.com/maps?hl=en&tab=wl">Maps</a> <a class=gb1 href="https://play.google.com/?hl=en&tab=w8">Play</a> <a class=gb1 href="https://www.youtube.com/?t equals www.youtube.com (Youtube)
Source: LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000281C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: })();</script><div id="mngb"><div id=gbar><nobr><b class=gb1>Search</b> <a class=gb1 href="https://www.google.com/imghp?hl=en&tab=wi">Images</a> <a class=gb1 href="http://maps.google.com/maps?hl=en&tab=wl">Maps</a> <a class=gb1 href="https://play.google.com/?hl=en&tab=w8">Play</a> <a class=gb1 href="https://www.youtube.com/?tab=w1">YouTube< equals www.youtube.com (Youtube)
Source: LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000003054000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: })();</script><div id="mngb"><div id=gbar><nobr><b class=gb1>Search</b> <a class=gb1 href="https://www.google.com/imghp?hl=en&tab=wi">Images</a> <a class=gb1 href="http://maps.google.com/maps?hl=en&tab=wl">Maps</a> <a class=gb1 href="https://play.google.com/?hl=en&tab=w8">Play</a> <a class=gb1 href="https://www.youtube.com/?tab=w1">YouTube</a> <a class=gb1 href="https://n equals www.youtube.com (Youtube)
Source: LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000003054000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: })();</script><div id="mngb"><div id=gbar><nobr><b class=gb1>Search</b> <a class=gb1 href="https://www.google.com/imghp?hl=en&tab=wi">Images</a> <a class=gb1 href="http://maps.google.com/maps?hl=en&tab=wl">Maps</a> <a class=gb1 href="https://play.google.com/?hl=en&tab=w8">Play</a> <a class=gb1 href="https://www.youtube.com/?tab=w1">YouTube</a> <a class=gb1 href="https://n` equals www.youtube.com (Youtube)
Source: LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1145652670.00000000023E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: })();</script><div id="mngb"><div id=gbar><nobr><b class=gb1>Search</b> <a class=gb1 href="https://www.google.com/imghp?hl=en&tab=wi">Images</a> <a class=gb1 href="http://maps.google.com/maps?hl=en&tab=wl">Maps</a> <a class=gb1 href="https://play.google.com/?hl=en&tab=w8">Play</a> <a class=gb1 href="https://www.youtube.com/?tab=w1">YouTube</a> <a class=gb1 href="https://news.google.com/?tab=wn">News</a> <a class=gb1 href="https://mail.google.com/mail/?tab=wm">Gmail</a> <a class=gb1 href="https://drive.google.com/?tab=wo">Drive</a> <a class=gb1 style="text-decoration:none" href="https://www.google.com/intl/en/about/products?tab=wh"><u>More</u> »</a></nobr></div><div id=guser width=100%><nobr><span id=gbn class=gbi></span><span id=gbf class=gbf></span><span id=gbe></span><a href="http://www.google.com/history/optout?hl=en" class=gb4>Web History</a> \| <a href="/preferences?hl=en" class=gb4>Settings</a> \| <a target=_top id=gb_70 href="https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAAQ" class=gb4>Sign in</a></nobr></div><div class=gbh style=left:0></div><div class=gbh style=right:0></div></div><center><br clear="all" id="lgpd"><div id="XjhHGf"><img alt="Google" height="92" src="/images/branding/googlelogo/1x/googlelogo_white_background_color_272x92dp.png" style="padding:28px 0 14px" width="272" id="hplogo"><br><br></div><form action="/search" name="f"><table cellpadding="0" cellspacing="0"><tr valign="top"><td width="25%"> </td><td align="center" nowrap=""><input name="ie" value="ISO-8859-1" type="hidden"><input value="en" name="hl" type="hidden"><input name="source" type="hidden" value="hp"><input name="biw" type="hidden"><input name="bih" type="hidden"><div class="ds" style="height:32px;margin:4px 0"><input class="lst" style="margin:0;padding:5px 8px 0 6px;vertical-align:top;color:#000" autocomplete="off" value="" title="Google Search" maxlength="2048" name="q" size="57"></div><br style="line-height:0"><span class="ds"><span class="lsbb"><input class="lsb" value="Google Search" name="btnG" type="submit"></span></span><span class="ds"><span class="lsbb"><input class="lsb" id="tsuid_fkXPZ-L_F_aXxc8P2-22wQY_1" value="I'm Feeling Lucky" name="btnI" type="submit"><script nonce="dxnmo-q-bEU_N51x_EL-hA">(function(){var id='tsuid_fkXPZ-L_F_aXxc8P2-22wQY_1';document.getElementById(id).onclick = function(){if (this.form.q.value){this.checked = 1;if (this.form.iflsig)this.form.iflsig.disabled = false;} equals www.youtube.com (Youtube)
Source: LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000003074000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000003054000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: })();</script><div id="mngb"><div id=gbar><nobr><b class=gb1>Search</b> <a class=gb1 href="https://www.google.com/imghp?hl=en&tab=wi">Images</a> <a class=gb1 href="http://maps.google.com/maps?hl=en&tab=wl">Maps</a> <a class=gb1 href="https://play.google.com/?hl=en&tab=w8">Play</a> <a class=gb1 href="https://www.youtube.com/?tab=w1">YouTube</a> <a class=gb1 href="https://news.google.com/?tab=wn">News</a> <a class=gb1 href="https://mail.google.com/mail/?tab=wm">Gmail</a> <a class=gb1 href="https://drive.google.com/?tab=wo">Drive</a> <a class=gb1 style="text-decoration:none" href="https://www.google.com/intl/en/about/products?tab=wh"><u>More</u> »</a></nobr></div><div id=guser width=100%><nobr><span id=gbn class=gbi></span><span id=gbf class=gbf></span><span id=gbe></span><a href="http://www.google.com/history/optout?hl=en" class=gb4>Web History</a> \| <a href="/preferences?hl=en" class=gb4>Settings</a> \| <a target=_top id=gb_70 href="https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAAQ" class=gb4>Sign in</a></nobr></div><div class=gbh style=left:0></div><div class=gbh style=right:0></div></div><center><br clear="all" id="lgpd"><div id="XjhHGf"><img alt="Google" height="92" src="/images/branding/googlelogo/1x/googlelogo_white_background_color_272x92dp.png" style="padding:28px 0 14px" width="272" id="hplogo"><br><br></div><form action="/search" name="f"><table cellpadding="0" cellspacing="0"><tr valign="top"><td width="25%"> </td><td align="center" nowrap=""><input name="ie" value="ISO-8859-1" type="hidden"><input value="en" name="hl" type="hidden"><input name="source" type="hidden" value="hp"><input name="biw" type="hidden"><input name="bih" type="hidden"><div class="ds" style="height:32px;margin:4px 0"><input class="lst" style="margin:0;padding:5px 8px 0 6px;vertical-align:top;color:#000" autocomplete="off" value="" title="Google Search" maxlength="2048" name="q" size="57"></div><br style="line-height:0"><span class="ds"><span class="lsbb"><input class="lsb" value="Google Search" name="btnG" type="submit"></span></span><span class="ds"><span class="lsbb"><input class="lsb" id="tsuid_gEXPZ6D4LYCgjfYPqYSIuAI_1" value="I'm Feeling Lucky" name="btnI" type="submit"><script nonce="K9AvoIzz2bgutxK-woYfLg">(function(){var id='tsuid_gEXPZ6D4LYCgjfYPqYSIuAI_1';document.getElementById(id).onclick = function(){if (this.form.q.value){this.checked = 1;if (this.form.iflsig)this.form.iflsig.disabled = false;} equals www.youtube.com (Youtube)
Source: LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000281C000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000283E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: })();</script><div id="mngb"><div id=gbar><nobr><b class=gb1>Search</b> <a class=gb1 href="https://www.google.com/imghp?hl=en&tab=wi">Images</a> <a class=gb1 href="http://maps.google.com/maps?hl=en&tab=wl">Maps</a> <a class=gb1 href="https://play.google.com/?hl=en&tab=w8">Play</a> <a class=gb1 href="https://www.youtube.com/?tab=w1">YouTube</a> <a class=gb1 href="https://news.google.com/?tab=wn">News</a> <a class=gb1 href="https://mail.google.com/mail/?tab=wm">Gmail</a> <a class=gb1 href="https://drive.google.com/?tab=wo">Drive</a> <a class=gb1 style="text-decoration:none" href="https://www.google.com/intl/en/about/products?tab=wh"><u>More</u> »</a></nobr></div><div id=guser width=100%><nobr><span id=gbn class=gbi></span><span id=gbf class=gbf></span><span id=gbe></span><a href="http://www.google.com/history/optout?hl=en" class=gb4>Web History</a> \| <a href="/preferences?hl=en" class=gb4>Settings</a> \| <a target=_top id=gb_70 href="https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAAQ" class=gb4>Sign in</a></nobr></div><div class=gbh style=left:0></div><div class=gbh style=right:0></div></div><center><br clear="all" id="lgpd"><div id="XjhHGf"><img alt="Google" height="92" src="/images/branding/googlelogo/1x/googlelogo_white_background_color_272x92dp.png" style="padding:28px 0 14px" width="272" id="hplogo"><br><br></div><form action="/search" name="f"><table cellpadding="0" cellspacing="0"><tr valign="top"><td width="25%"> </td><td align="center" nowrap=""><input name="ie" value="ISO-8859-1" type="hidden"><input value="en" name="hl" type="hidden"><input name="source" type="hidden" value="hp"><input name="biw" type="hidden"><input name="bih" type="hidden"><div class="ds" style="height:32px;margin:4px 0"><input class="lst" style="margin:0;padding:5px 8px 0 6px;vertical-align:top;color:#000" autocomplete="off" value="" title="Google Search" maxlength="2048" name="q" size="57"></div><br style="line-height:0"><span class="ds"><span class="lsbb"><input class="lsb" value="Google Search" name="btnG" type="submit"></span></span><span class="ds"><span class="lsbb"><input class="lsb" id="tsuid_iEXPZ5XmOaiTxc8PpcbOyAk_1" value="I'm Feeling Lucky" name="btnI" type="submit"><script nonce="QugM8Qt7oBQPFZOVFj30Rg">(function(){var id='tsuid_iEXPZ5XmOaiTxc8PpcbOyAk_1';document.getElementById(id).onclick = function(){if (this.form.q.value){this.checked = 1;if (this.form.iflsig)this.form.iflsig.disabled = false;} equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: iplis.ru
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown

Source: LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1145652670.0000000002355000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000002FB4000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.0000000002782000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.ipify.org
Source: LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1145652670.0000000002342000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.0000000002795000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://iplis.ru
Source: LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000281C000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000283E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://maps.google.com/maps?hl=en&tab=wl
Source: LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000281C000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000283E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schema.org/WebPage
Source: LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1145652670.0000000002231000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.0000000002754000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1146764684.0000000012241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fatorcaos.com.brPerfect
Source: LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1146764684.0000000012241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fatorcaos.com.brzehhttp://www.fatorcaos.com.brhttp://www.fatorcaos.com.brhttp://www.fator
Source: LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1145652670.00000000023E4000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000003054000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000281C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com
Source: LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1145652670.00000000023E4000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000003054000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000281C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/
Source: LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1145652670.00000000023E4000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000003074000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000003054000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000281C000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000283E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/history/optout?hl=en
Source: LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1145652670.00000000023E4000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000003074000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000003054000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000281C000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000283E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAA
Source: LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1145652670.0000000002231000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1146764684.0000000012241000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.0000000002681000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.0000000002754000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1145652670.0000000002231000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.0000000002754000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1145652670.0000000002231000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.0000000002754000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/X
Source: LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1145652670.00000000023E4000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000003054000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000281C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1145652670.00000000023E4000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000003074000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000003054000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000281C000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000283E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/?tab=wo
Source: LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1145652670.0000000002231000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.0000000002754000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplis.ru
Source: LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1145090053.0000000000780000.00000004.08000000.00040000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1145652670.0000000002231000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1146764684.0000000012241000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.0000000002681000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplis.ru/2tVwn7
Source: LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1145652670.00000000023E4000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000003074000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000003054000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000281C000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000283E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?tab=wm
Source: LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1145652670.00000000023E4000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000003074000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000003054000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000281C000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000283E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://news.google.com/?tab=wn
Source: LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000281C000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000283E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://play.google.com/?hl=en&tab=w8
Source: LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000281C000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000283E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/imghp?hl=en&tab=wi
Source: LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1145652670.00000000023E4000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000003074000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000003054000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000281C000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000283E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/intl/en/about/products?tab=wh
Source: LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1145652670.00000000023E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?t
Source: LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000281C000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000283E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/?tab=w1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49684
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49684 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443

Spam, unwanted Advertisements and Ransom Demands

Deletes shadow drive data (may be related to ransomware)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe delete shadows /all /quiet	Jump to behavior
Source: vssadmin.exe, 00000005.00000002.1021988572.000001BD96CF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exevssadmin.exe delete shadows /all /quietvssadmin.exe delete shadows /all /quietWinsta0\Default
Source: vssadmin.exe, 00000005.00000002.1021988572.000001BD96CF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vssadmin.exe delete shadows /all /quiet
Source: vssadmin.exe, 00000005.00000002.1022140792.000001BD970C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vssadmin.exedeleteshadows/all/quiet

May disable shadow drive data (uses vssadmin)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe delete shadows /all /quiet			Jump to behavior

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File deleted: C:\Users\user\Desktop\PWCCAWLGRE.jpg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File deleted: C:\Users\user\Desktop\VAMYDFPUND\ZQIXMVQGAH.pdf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File deleted: C:\Users\user\Desktop\VAMYDFPUND.png	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File deleted: C:\Users\user\Desktop\SFPUSAFIOL.xlsx	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File deleted: C:\Users\user\Desktop\CURQNKVOIX\MXPXCVPDVN.jpg	Jump to behavior

System Summary

PE file contains section with special chars

Source: Sbch6_PQie2h8kt7tM0eSKEd.exe.0.dr

Static PE information: section name: "ZR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004031C0	0_2_004031C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00405AE0	0_2_00405AE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00403C60	0_2_00403C60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00402DE0	0_2_00402DE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004050A0	0_2_004050A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041B9C0	0_2_0041B9C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004219F0	0_2_004219F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00413D14	0_2_00413D14
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004016E0	0_2_004016E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401E80	0_2_00401E80
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Code function: 2_2_00007FF9C1912071	2_2_00007FF9C1912071
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Code function: 8_2_00007FF9C1950C81	8_2_00007FF9C1950C81
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Code function: 8_2_00007FF9C195200C	8_2_00007FF9C195200C
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Code function: 11_2_00007FF9C192200C	11_2_00007FF9C192200C

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 00424600 appears 70 times

Source: file.exe, 00000000.00000002.949562377.00000000004B9000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWebBootstrapper.exe8 vs file.exe
Source: file.exe, 00000000.00000000.913474986.00000000004B9000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWebBootstrapper.exe8 vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameWebBootstrapper.exe8 vs file.exe

Source: LYvfxvxpng9iFEWmTnu8xscn.exe.0.dr

Static PE information: Section: .reloc ZLIB complexity 0.99609375

Source: 2.2.LYvfxvxpng9iFEWmTnu8xscn.exe.780000.1.raw.unpack, Form1.cs

Suspicious URL: 'https://iplis.ru/2tVwn7'

Source: classification engine

Classification label: mal100.rans.spyw.evad.winEXE@12/376@3/4

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00402440 CreateToolhelp32Snapshot,Process32First,lstrcmpi,Process32Next,lstrcmpi,CloseHandle,CloseHandle,

0_2_00402440

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00405AE0 FindResourceA,LoadResource,SizeofResource,LockResource,strlen,strlen,CreateFileA,WriteFile,CloseHandle,CloseHandle,

0_2_00405AE0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5980:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	Mutant created: \Sessions\1\BaseNamedObjects\cry

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\iofolko5

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe	Virustotal: Detection: 52%
Source: file.exe	ReversingLabs: Detection: 52%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe "C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe "C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe"
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe delete shadows /all /quiet
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe "C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe "C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe "C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe "C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe delete shadows /all /quiet	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vboxhook.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\vssadmin.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\vssadmin.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\vssadmin.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\vssadmin.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\vssadmin.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\vssadmin.exe	Section loaded: vss_ps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Section loaded: wintypes.dll

Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbl source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1078286045.0000000004448000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1064954660.0000000004411000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1068659881.00000000026B5000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1070080764.000000000444E000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1080003654.000000000444E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1087083558.0000000006ACD000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1079173197.0000000006AD2000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1088096115.0000000006AD2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errorrer source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1056139532.00000000047AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errorml source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1091477158.00000000068A6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1076593755.00000000068E8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1083871663.0000000004425000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1022589981.000000000266F000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1023011189.0000000002678000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\msedge_url_fetcher_5140_511505862\95653570-4a96-4019-96b6-27b027f2cb91.pdb= source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1091477158.00000000068A6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdbr3 Website_urlplica: source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1050185070.0000000002680000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1095624703.0000000006F6B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb' source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1088096115.0000000006B14000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errora source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1077903712.0000000005300000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1079396733.000000000530F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorG^LBB source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1085539704.000000000523B000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1079509005.0000000005237000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1078002079.0000000005237000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbdlt source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1088974110.00000000045AB000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1077173533.000000000458B000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1079288382.00000000045AB000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1084191881.00000000045AB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdbQb source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1050848647.0000000002648000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbr source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1091477158.00000000068A6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb3c-aff1-a69d9e530f96}[1].bmppplication Data\Application Data\Application Data\Microsoft\Office\16.0\excel.exe_Rules\rule10802v0.xml Dat source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1085304317.0000000002651000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1085145580.000000000264B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb3 source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1076593755.00000000068E8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1088513319.00000000057A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbxt source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1093074672.0000000005336000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\.curlrc.pdb, source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1077903712.0000000005300000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1079396733.000000000530F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdbg.lockisz{ source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1069138598.0000000005644000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1088513319.00000000057A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorock source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1056303599.0000000004747000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.json source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1084106190.000000000478B000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1077778512.000000000476B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errorp source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1092346915.000000000456B000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1084191881.000000000452C000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1095364256.000000000457B000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1083871663.00000000044CC000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1085620169.000000000456A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*ngs.datsLo source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1085304317.0000000002651000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1085145580.000000000264B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdblog source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1085539704.000000000523B000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1079509005.0000000005237000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1078002079.0000000005237000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\VirtualStore\*nload_prod.pdb source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1050848647.0000000002648000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error32.log. source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1088974110.00000000045AB000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1077173533.000000000458B000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1079288382.00000000045AB000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1084191881.00000000045AB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\*50698d5-282c-4c8d-9fa6-c155f2d8d379 source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1057046915.0000000002645000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1057450602.0000000002669000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\msedge_url_fetcher_5636_835662851\e8d11bd0-b939-446e-b741-2c68ed471a53.pdbs source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1077903712.0000000005300000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1079396733.000000000530F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errordat source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1069138598.0000000005644000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorplicaI source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1092346915.000000000456B000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1084191881.000000000452C000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1095364256.000000000457B000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1083871663.00000000044CC000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1085620169.000000000456A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errorArRx source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1069138598.0000000005644000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1055951067.00000000051F8000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1076699799.0000000006823000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb1 source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1088610458.0000000005648000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1092072069.0000000005670000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\LocalStatetaData\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errorrer source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1069398526.00000000047C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1087083558.00000000069F3000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1077903712.0000000005300000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1094823712.0000000006A9D000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1079396733.000000000530F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errorxml source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1088974110.00000000045AB000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1093796865.00000000045AB000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1078286045.0000000004448000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1064954660.0000000004411000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1095364256.00000000045AB000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1084191881.00000000045AB000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1068659881.00000000026B5000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1070080764.000000000444E000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1080003654.000000000444E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdbers\tinR source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1092346915.000000000456B000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1084191881.000000000452C000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1095364256.000000000457B000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1083871663.00000000044CC000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1085620169.000000000456A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1095494031.0000000006DF4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbe source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1063837765.00000000055A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbn\| source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1056139532.00000000047AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb0?\| source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1088513319.00000000057A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1093074672.0000000005336000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\VirtualStore\*krnlmp.pdbw source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1015536864.0000000002669000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdbl' source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1078581090.000000000439A000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1064106878.000000000426D000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1056551202.000000000429C000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1070203663.000000000429B000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1078394498.000000000434A000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1057485100.0000000004370000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1057286968.000000000429C000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1071761113.0000000004370000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d.pdb65338661\01d00eb7-ae22-4601-b5b4-6bd76494c1055C-D source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1023046215.0000000002648000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error7>_H source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1087083558.0000000006ACD000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1079173197.0000000006AD2000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1088096115.0000000006AD2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdbockb[eWl source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1056303599.0000000004747000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errorsontedStrings.en-gb_RP-iR89BipE4i7ZOqiqEgQ2[1].jsffice\16.0\excel.exe_Rules\rule10882v0.xmloft\Nb'xg source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1085304317.0000000002651000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1085145580.000000000264B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdblnt source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1088974110.00000000045AB000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1093796865.00000000045AB000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1095364256.00000000045AB000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1084191881.00000000045AB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdbat source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1048566882.0000000004659000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errory9 source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1087083558.0000000006ACD000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1079173197.0000000006AD2000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1088096115.0000000006AD2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errort.LOG1 source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1049780927.00000000046D9000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1048523696.00000000046BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorj source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1088610458.0000000005648000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1092072069.0000000005670000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1064106878.000000000426D000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1079023877.0000000004370000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1056551202.000000000429C000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1070203663.000000000429B000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1076699799.0000000006823000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1078394498.000000000434A000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1057485100.0000000004370000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1048566882.0000000004659000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1057286968.000000000429C000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1071761113.0000000004370000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbp source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1095624703.0000000006F6B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1076593755.00000000068E8000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1056303599.0000000004747000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*05 10-15-18-157.log-3 source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1022589981.000000000266F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb5,6A source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1049780927.00000000046D9000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1048523696.00000000046BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1094001382.00000000047EA000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1076699799.0000000006864000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1083827592.00000000047CA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1087083558.00000000069F3000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1094823712.0000000006A9D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1095624703.0000000006F6B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1015536864.0000000002669000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\*empStatekkpplication Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056E source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1069398526.00000000047C2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*ings.datta source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1056139532.00000000047AF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\msedge_url_fetcher_5636_747471325\4643befd-79b8-4e0c-a2fb-c0e3ee78dcd5.pdb source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1091477158.00000000068A6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorB source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1087083558.00000000069F3000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1094823712.0000000006A9D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2b82 source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1057046915.0000000002645000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1057450602.0000000002669000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorcation- source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1077903712.0000000005300000.00000004.00000020.00020000.00000000.sdmp, Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1079396733.000000000530F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error6r:te source: Sbch6_PQie2h8kt7tM0eSKEd.exe, 00000001.00000003.1055951067.00000000051F8000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.400000.0.unpack .dosx:EW;.fish:EW;.rsrc:W; vs .dosx:ER;.fish:ER;.rsrc:W;

.NET source code contains potential unpacker

Source: LYvfxvxpng9iFEWmTnu8xscn.exe.0.dr, _.cs

.Net Code: Main System.Reflection.Assembly.Load(byte[])

Source: initial sample

Static PE information: section where entry point is pointing to: .fish

Source: file.exe	Static PE information: section name: .dosx
Source: file.exe	Static PE information: section name: .fish
Source: Sbch6_PQie2h8kt7tM0eSKEd.exe.0.dr	Static PE information: section name: "ZR
Source: Sbch6_PQie2h8kt7tM0eSKEd.exe.0.dr	Static PE information: section name: bebbb
Source: Sbch6_PQie2h8kt7tM0eSKEd.exe.0.dr	Static PE information: section name: b4b

Source: file.exe	Static PE information: section name: .fish entropy: 7.7851415056535815
Source: Sbch6_PQie2h8kt7tM0eSKEd.exe.0.dr	Static PE information: section name: bebbb entropy: 7.927971667797864

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe			Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Users\user\Desktop\file.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 08160137-600c-463b-a7d4-f9f06ed48688

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 08160137-600c-463b-a7d4-f9f06ed48688			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 08160137-600c-463b-a7d4-f9f06ed48688			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe

File deleted: c:\users\user\desktop\file.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI			Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe

File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: file.exe, 00000000.00000002.949600904.000000000086C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	Memory allocated: 2C30000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Memory allocated: 730000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Memory allocated: 1A230000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Memory allocated: 12C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Memory allocated: 1AEA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Memory allocated: CC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Memory allocated: 1A670000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened / queried: C:\Program Files (x86)\Common Files\Oracle\Java\javapath\VBoxHook.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened / queried: C:\Windows\system32\VBoxHook.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened / queried: C:\WINDOWS\system32\drivers\vmmouse.sys	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened / queried: C:\Windows\System32\Wbem\VBoxHook.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened / queried: C:\Windows\system\VBoxHook.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened / queried: C:\WINDOWS\system32\drivers\vmhgfs.sys	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened / queried: C:\Windows\VBoxHook.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened / queried: \pipe\VBoxTrayIPC	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened / queried: C:\Windows\System32\OpenSSH\VBoxHook.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened / queried: C:\Users\user\Desktop\VBoxHook.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened / queried: VBoxMiniRdrDN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened / queried: C:\Windows\System32\WindowsPowerShell\v1.0\VBoxHook.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened / queried: C:\Windows\SYSTEM32\VBoxHook.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened / queried: C:\Users\user\AppData\Local\Microsoft\WindowsApps\VBoxHook.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 599131	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 599004	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598047	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598670	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598010	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597134	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 599167
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 599047
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598938
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598813
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598703
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598594
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598469
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598359
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598248
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598136
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598016
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597906
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597797
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597688
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597578
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597469
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597359
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597250
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597141

Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Window / User API: threadDelayed 5368	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Window / User API: threadDelayed 4404	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Window / User API: threadDelayed 5488	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Window / User API: threadDelayed 4231	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Window / User API: threadDelayed 2364
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Window / User API: threadDelayed 7418

Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -99886s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -99642s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -99516s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -99406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -99297s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -99187s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -99077s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -98968s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -98859s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -98749s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -98641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -98467s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -98358s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -98230s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -98101s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -97973s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -97851s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -97709s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -97591s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -97467s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -97348s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -97230s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -97252s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -97125s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -97015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -96906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -96797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -96678s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -96562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -96445s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -96343s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -96234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -96125s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -95989s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -599131s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -599004s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -598891s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -598766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -598406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -598281s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -598172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -598047s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -597938s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -597813s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -597578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -597469s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -597360s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -597250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6856	Thread sleep time: -597141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -99874s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -99645s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -99520s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -99390s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -99274s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -99171s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -99062s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -98953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -98817s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -98693s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -98566s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -98437s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -98325s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -98218s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -97956s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -97828s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -97718s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -97609s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -97546s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -97433s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -97297s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -97187s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -97078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -96968s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -96859s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -96750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -96640s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -96531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -96422s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -598890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -598670s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -598344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -598234s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -598125s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -598010s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -597828s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -597594s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -597265s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 6828	Thread sleep time: -597134s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -27670116110564310s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7204	Thread sleep count: 2364 > 30
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7200	Thread sleep count: 7418 > 30
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -99874s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -99721s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -99593s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -99484s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -99375s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -99265s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -99156s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -99046s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -98937s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -98828s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -98718s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -98609s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -98499s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -98390s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -98281s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -98164s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -98047s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -97922s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -97812s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -97750s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -97639s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -97531s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -97422s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -97312s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -97203s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -97093s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -96982s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -96875s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -96765s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -599167s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -599047s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -598938s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -598813s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -598703s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -598594s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -598469s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -598359s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -598248s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -598136s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -598016s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -597906s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -597797s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -597688s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -597578s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -597469s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -597359s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -597250s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe TID: 7176	Thread sleep time: -597141s >= -30000s

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 99886	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 99642	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 99516	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 99406	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 99297	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 99187	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 99077	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 98968	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 98859	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 98749	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 98641	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 98467	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 98358	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 98230	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 98101	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 97973	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 97851	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 97709	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 97591	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 97467	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 97348	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 97230	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 97252	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 97125	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 97015	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 96906	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 96797	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 96678	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 96562	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 96445	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 96343	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 96234	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 96125	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 95989	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 599131	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 599004	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598766	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598281	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598172	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598047	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597938	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597813	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597469	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597360	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597250	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597141	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 99874	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 99645	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 99520	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 99390	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 99274	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 99171	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 99062	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 98953	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 98817	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 98693	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 98566	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 98437	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 98325	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 98218	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 97956	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 97828	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 97718	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 97609	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 97546	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 97433	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 97297	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 97187	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 97078	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 96968	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 96859	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 96750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 96640	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 96531	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 96422	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598670	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598344	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598010	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597828	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597594	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597134	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 99874
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 99721
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 99593
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 99484
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 99375
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 99265
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 99156
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 99046
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 98937
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 98828
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 98718
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 98609
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 98499
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 98390
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 98281
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 98164
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 98047
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 97922
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 97812
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 97750
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 97639
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 97531
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 97422
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 97312
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 97203
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 97093
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 96982
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 96875
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 96765
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 599167
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 599047
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598938
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598813
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598703
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598594
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598469
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598359
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598248
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598136
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 598016
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597906
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597797
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597688
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597578
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597469
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597359
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597250
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Thread delayed: delay time: 597141

Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Adobe\Acrobat\DC\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\.ms-ad\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\3D Objects\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Adobe\Acrobat\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Adobe\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\	Jump to behavior

Source: file.exe, 00000000.00000002.949600904.000000000086C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\System32\Wbem\VBoxHook.dll
Source: file.exe, 00000000.00000002.949600904.000000000086C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\VBoxHook.dll
Source: file.exe, 00000000.00000002.949600904.000000000086C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VBoxHook.dll
Source: file.exe, 00000000.00000002.949600904.000000000086C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\VBoxHook.dllG
Source: LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2180212300.000000001CECC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>
Source: file.exe, 00000000.00000002.949600904.000000000086C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__W
Source: LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1147934510.000000001DAB5000.00000004.00000020.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2181417435.000000001D4D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00402C00 GetCurrentProcess,CheckRemoteDebuggerPresent,

0_2_00402C00

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00404CA0 IsDebuggerPresent,

0_2_00404CA0

Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00418810 TlsGetValue,CloseHandle,CloseHandle,CloseHandle,RtlRemoveVectoredExceptionHandler,RtlAddVectoredExceptionHandler,CloseHandle,CloseHandle,TlsSetValue,CloseHandle,	0_2_00418810
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,_initterm,GetStartupInfoA,exit,	0_2_00401180
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040FD30 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	0_2_0040FD30

Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\vssadmin.exe vssadmin.exe delete shadows /all /quiet			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe VolumeInformation

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040FC50 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0040FC50

Source: C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\state.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\containers.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\glean\events\background-update	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\ls-archive.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\handlers.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\session-state.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\favicons.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\saved-telemetry-pings\5c52a77f-c922-4d05-b4a5-35092432cb64	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\archived\2023-10\1696496532976.270e063c-5835-4e21-b776-167913525107.event.jsonlz4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\glean\db\data.safe.bin	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\installs.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\webappsstore.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\archived\2023-10\1696496526924.bb2f07d2-72ba-475b-89d6-f1004541a20e.new-profile.jsonlz4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\saved-telemetry-pings\6f88a504-672b-429f-becc-5f24bfcb1009	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\sessionstore-backups\upgrade.jsonlz4-20230927232528	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\favicons.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\protections.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\webappsstore.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\archived\2023-10\1696496532955.5c52a77f-c922-4d05-b4a5-35092432cb64.health.jsonlz4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\ca4gppea.default\times.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\archived\2023-10\1696496526939.711b9395-807b-4c7f-a045-dd83b14de7aa.first-shutdown.jsonlz4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\sessionCheckpoints.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\glean\pending_pings\f30d6b3f-1d43-4dd4-add9-f29c1313c2dd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\archived\2023-10\1696496532994.855442d8-08ff-437c-ab54-8b85f7a1de31.main.jsonlz4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\xulstore.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\archived\2023-10\1696496532976.f626f4c3-4652-4b17-a31d-20b62aabb4bc.health.jsonlz4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\permissions.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\sessionstore-backups\previous.jsonlz4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\ExperimentStoreData.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\shield-preference-experiments.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\extension-preferences.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\pkcs11.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\webappsstore.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\parent.lock	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\content-prefs.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\addons.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\archived\2023-10\1696496526938.6f88a504-672b-429f-becc-5f24bfcb1009.main.jsonlz4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\glean\pending_pings\cb77fc44-213e-46f2-a233-e27b26b3b3e2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\addonStartup.json.lz4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\times.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\glean\events\events	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\targeting.snapshot.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\AlternateServices.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\sessionstore.jsonlz4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\search.json.mozlz4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\datareporting\archived\2023-10\1696496526932.a88cd073-7a8b-423f-bd0e-4c9cfe05f0fa.event.jsonlz4	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\.metadata-v2	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Crash Reports\InstallTime20230927232528	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\compatibility.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\SiteSecurityServiceState.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\favicons.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cert9.db	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	Scheduled Task/Job	11 Registry Run Keys / Startup Folder	11 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	11 Registry Run Keys / Startup Folder	3 Obfuscated Files or Information	Security Account Manager	23 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	22 Software Packing	NTDS	531 Security Software Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	51 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 File Deletion	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	51 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	53%	Virustotal		Browse
file.exe	53%	ReversingLabs	Win64.Trojan.MintZard

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe	58%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe	29%	ReversingLabs	Win64.Trojan.Khalesi

Source	Detection	Scanner	Label
http://185.215.113.39/krovb/api	0%	Avira URL Cloud	safe
http://www.fatorcaos.com.brzehhttp://www.fatorcaos.com.brhttp://www.fatorcaos.com.brhttp://www.fator	0%	Avira URL Cloud	safe
http://www.fatorcaos.com.brPerfect	0%	Avira URL Cloud	safe
https://iplis.ru	0%	Avira URL Cloud	safe
https://iplis.ru/2tVwn7	0%	Avira URL Cloud	safe
http://iplis.ru	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	high
api.ipify.org	104.26.12.205	true	false	high
www.google.com	142.250.185.196	true	false	high
iplis.ru	104.21.63.150	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high
http://185.215.113.39/krovb/api	false	Avira URL Cloud: safe	unknown
https://iplis.ru/2tVwn7	false	Avira URL Cloud: safe	unknown
http://www.google.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/?hl=en&tab=w8	LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000281C000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000283E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/intl/en/about/products?tab=wh	LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1145652670.00000000023E4000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000003074000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000003054000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000281C000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000283E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/imghp?hl=en&tab=wi	LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000281C000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000283E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://csp.withgoogle.com/csp/gws/other-hp	LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1145652670.00000000023E4000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000003054000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000281C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drive.google.com/?tab=wo	LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1145652670.00000000023E4000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000003074000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000003054000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000281C000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000283E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://news.google.com/?tab=wn	LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1145652670.00000000023E4000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000003074000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000003054000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000281C000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000283E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fatorcaos.com.brzehhttp://www.fatorcaos.com.brhttp://www.fatorcaos.com.brhttp://www.fator	LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1146764684.0000000012241000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://iplis.ru	LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1145652670.0000000002231000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.0000000002754000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://mail.google.com/mail/?tab=wm	LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1145652670.00000000023E4000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000003074000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000003054000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000281C000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000283E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schema.org/WebPage	LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000281C000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000283E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/?tab=w1	LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000281C000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000283E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://api.ipify.org	LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1145652670.0000000002355000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000002FB4000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.0000000002782000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org	LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1145652670.0000000002231000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1146764684.0000000012241000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.0000000002681000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.0000000002754000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fatorcaos.com.brPerfect	LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1146764684.0000000012241000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://iplis.ru	LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1145652670.0000000002342000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000002FC6000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.0000000002795000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.google.com/history/optout?hl=en	LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1145652670.00000000023E4000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000003074000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000003054000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000281C000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000283E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org/X	LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1145652670.0000000002231000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.0000000002754000.00000004.00000800.00020000.00000000.sdmp	false		high
http://maps.google.com/maps?hl=en&tab=wl	LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000281C000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000283E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/?t	LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1145652670.00000000023E4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.google.com	LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1145652670.00000000023E4000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000003054000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.000000000281C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	LYvfxvxpng9iFEWmTnu8xscn.exe, 00000002.00000002.1145652670.0000000002231000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 00000008.00000002.2176484600.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, LYvfxvxpng9iFEWmTnu8xscn.exe, 0000000B.00000002.2176298736.0000000002754000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
142.250.185.196	www.google.com	United States	15169	GOOGLEUS	false
104.21.63.150	iplis.ru	United States	13335	CLOUDFLARENETUS	false
185.215.113.39	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1634234
Start date and time:	2025-03-10 21:01:52 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.rans.spyw.evad.winEXE@12/376@3/4
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 98% Number of executed functions: 70 Number of non-executed functions: 66
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, VSSVC.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212, 40.69.42.241, 20.3.187.198, 23.60.203.209
Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target LYvfxvxpng9iFEWmTnu8xscn.exe, PID 5424 because it is empty
Execution Graph export aborted for target LYvfxvxpng9iFEWmTnu8xscn.exe, PID 5524 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtWriteFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
16:02:58	API Interceptor	1x Sleep call for process: file.exe modified
16:03:05	API Interceptor	3529258x Sleep call for process: LYvfxvxpng9iFEWmTnu8xscn.exe modified
20:03:00	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 08160137-600c-463b-a7d4-f9f06ed48688 C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe
20:03:08	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 08160137-600c-463b-a7d4-f9f06ed48688 C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.12.205	NightFixed 1.0.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	VibeCall.exe	Get hash	malicious	RHADAMANTHYS	Browse	api.ipify.org/
	VRChat_ERP_Setup 1.0.0.msi	Get hash	malicious	Unknown	Browse	api.ipify.org/
	wEY98gM1Jj.ps1	Get hash	malicious	LummaC Stealer	Browse	api.ipify.org/
	oNvY66Z8jp.ps1	Get hash	malicious	Unknown	Browse	api.ipify.org/
	Pmw24ExIdx.ps1	Get hash	malicious	Unknown	Browse	api.ipify.org/
	DeepLauncher.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	[Huawei] Contract for YouTube partners.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	NexoPack Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	NexoPack Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
104.21.63.150	https://meliopayments.cloudfilesbureau.com/j319C	Get hash	malicious	HTMLPhisher	Browse
	iBO7gzlZr3.exe	Get hash	malicious	LummaC	Browse
	5zFCjSBLvw.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse
	cKt8r2v7Gy.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.BackDoor.SpyBotNET.62.21177.12908.exe	Get hash	malicious	EICAR, PureLog Stealer, zgRAT	Browse
	SecuriteInfo.com.Trojan.Siggen28.55231.10056.8041.exe	Get hash	malicious	PureLog Stealer, RedLine, RisePro Stealer, SystemBC, Vidar, zgRAT	Browse
	SecuriteInfo.com.Win64.DropperX-gen.20168.7257.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, Stealc, Vidar, zgRAT	Browse
	CHA0VZiz8y.exe	Get hash	malicious	CryptOne, Djvu, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, Vidar	Browse
	SecuriteInfo.com.Win64.PWSX-gen.29347.28297.exe	Get hash	malicious	Neoreklami, PureLog Stealer	Browse
	file.exe	Get hash	malicious	Amadey, Neoreklami, PureLog Stealer, zgRAT	Browse
185.215.113.39	random(4).exe	Get hash	malicious	Unknown	Browse	185.215.113.39/krovb/api
	wow.exe	Get hash	malicious	Amadey, GhostRat, GuLoader, LummaC Stealer, XWorm, Xmrig	Browse	185.215.113.39/files/unique1/random.exe
	p199AjsEFs.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc	Browse	185.215.113.39/files/sawdu5t/random.exe
	2E02vIiMfd.exe	Get hash	malicious	LummaC, Amadey, AsyncRAT, LummaC Stealer, PureLog Stealer, Socks5Systemz, Vidar	Browse	185.215.113.39/files/unique2/random.exe
	2cYxf6R4KS.exe	Get hash	malicious	LummaC, Amadey	Browse	185.215.113.39/files/asjduwgsgausi/random.exe
	zOozafCgcM.exe	Get hash	malicious	Amadey	Browse	185.215.113.39/files/nickjonsong/random.exe
	random.exe	Get hash	malicious	Amadey, AsyncRAT, LummaC Stealer, PureLog Stealer, Vidar	Browse	185.215.113.39/files/unique2/random.exe
	random.exe	Get hash	malicious	Amadey, AsyncRAT, LummaC Stealer, PureLog Stealer, Socks5Systemz, Stealc, Vidar	Browse	185.215.113.39/files/unique3/random.exe
	random.exe	Get hash	malicious	Amadey, Socks5Systemz	Browse	185.215.113.39/files/sawdu5t/random.exe
	I5D7Y9o1R1.exe	Get hash	malicious	Amadey, LummaC Stealer, PureLog Stealer, RedLine	Browse	185.215.113.39/files/unique2/random.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
iplis.ru	Z66MsXpleT.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.147.32
	eSLlhErJ0q.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.147.32
	iBO7gzlZr3.exe	Get hash	malicious	LummaC	Browse	104.21.63.150
	7CTH165fQv.exe	Get hash	malicious	Latrodectus	Browse	172.67.147.32
	5zFCjSBLvw.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	104.21.63.150
	cKt8r2v7Gy.exe	Get hash	malicious	Unknown	Browse	104.21.63.150
	SecuriteInfo.com.Win64.Evo-gen.4435.12354.exe	Get hash	malicious	CryptOne, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	172.67.147.32
	SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe	Get hash	malicious	CryptOne, Djvu, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine	Browse	172.67.147.32
	BI6oo9z4In.exe	Get hash	malicious	CryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	172.67.147.32
	file.exe	Get hash	malicious	Unknown	Browse	172.67.147.32
api.ipify.org	ATT09858.htm	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	PatricksParabox.exe.bin.exe	Get hash	malicious	Quasar	Browse	172.67.74.152
	https://publizr.com/alliedcon/allied-construction	Get hash	malicious	Gabagool	Browse	104.26.13.205
	https://publizr.com/alliedcon/allied-construction	Get hash	malicious	Gabagool	Browse	104.26.13.205
	uVEaZrbyd6.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	rEthE93UEz.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	Wi8JY2Ta81.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	3SgC5vaFEg.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	BSDOC-2025.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	I24560875423784426VTL.scr.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
bg.microsoft.map.fastly.net	Section_PE32_image_Aint13_Aint13_body.efi.dll	Get hash	malicious	Unknown	Browse	199.232.214.172
	Fd-Employee-Handbook(1).pdf	Get hash	malicious	Unknown	Browse	199.232.214.172
	PEDIDO DE OR#U00c7AMENTO (Universidade NOVA de Lisboa) 03-10-2025#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	199.232.214.172
	ANGEBOTSANFRAGE (Universit#U00e4t Klagenfurt) 10-03-2025#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	199.232.210.172
	Online Notification.pdf	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	FW 188355..msg	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	x3xqeKOaAd.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse	199.232.210.172
	PastePictures 1.xla	Get hash	malicious	Unknown	Browse	199.232.214.172
	POETDB24-25771.xla.xlsx	Get hash	malicious	Unknown	Browse	199.232.210.172
	CO894GOV2O25.vbs	Get hash	malicious	Remcos, GuLoader	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WHOLESALECONNECTIONSNL	Inst#U0430ll.exe	Get hash	malicious	LummaC Stealer, Xmrig	Browse	185.215.113.51
	a0RkmvhSaf.exe	Get hash	malicious	Phorpiex	Browse	185.215.113.66
	Setup.exe	Get hash	malicious	Xmrig	Browse	185.215.113.51
	mQRr8Rkorf.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc	Browse	185.215.113.16
	random(1).exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.115
	random(4).exe	Get hash	malicious	Unknown	Browse	185.215.113.39
	d5Wai5fIAK.exe	Get hash	malicious	Amadey, GCleaner, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	185.215.113.209
	pGOrhjLXy3.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc	Browse	185.215.113.115
	fj6tgskjvb.exe	Get hash	malicious	Unknown	Browse	185.215.113.16
	random.exe	Get hash	malicious	Amadey, Credential Flusher, GCleaner, LummaC Stealer, Stealc	Browse	185.215.113.16
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.204.104
	Fd-Employee-Handbook(1).pdf	Get hash	malicious	Unknown	Browse	172.64.41.3
	ATT09858.htm	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	https://poshmark-bundle.sale/reit	Get hash	malicious	Unknown	Browse	104.17.245.203
	q2e132qweertgd.exe.bin.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	104.20.4.235
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse	104.16.145.15
	download.php.exe.bin.exe	Get hash	malicious	Amadey, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.21.95.8
	PatricksParabox.exe.bin.exe	Get hash	malicious	Quasar	Browse	172.67.74.152
	SmartPDFPro.msi	Get hash	malicious	Unknown	Browse	172.64.41.3
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.204.104
	Fd-Employee-Handbook(1).pdf	Get hash	malicious	Unknown	Browse	172.64.41.3
	ATT09858.htm	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	https://poshmark-bundle.sale/reit	Get hash	malicious	Unknown	Browse	104.17.245.203
	q2e132qweertgd.exe.bin.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	104.20.4.235
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse	104.16.145.15
	download.php.exe.bin.exe	Get hash	malicious	Amadey, DCRat, LummaC Stealer, PureLog Stealer, zgRAT	Browse	104.21.95.8
	PatricksParabox.exe.bin.exe	Get hash	malicious	Quasar	Browse	172.67.74.152
	SmartPDFPro.msi	Get hash	malicious	Unknown	Browse	172.64.41.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	SNKO05B241100201.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.63.150 104.26.12.205
	SNKO05B241100201..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.63.150 104.26.12.205
	COA.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.63.150 104.26.12.205
	Vesses Information_pdf.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.63.150 104.26.12.205
	SNKO05B241100201.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.63.150 104.26.12.205
	sNtelKBdvr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.63.150 104.26.12.205
	rgk62zzDVd.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.63.150 104.26.12.205
	ESrG8c98zz.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.63.150 104.26.12.205
	ZS0Uo8zwGk.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.63.150 104.26.12.205
	B599ZYjsg4.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.63.150 104.26.12.205

Process:	C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe
File Type:	data
Category:	dropped
Size (bytes):	4116
Entropy (8bit):	7.957989975965071
Encrypted:	false
SSDEEP:	96:FAZzfpgj3mPZ0JLN9cQ6af2tzvki+XdWSDYmBnD/RGaQtJXjGMdvscHC:FA/EmPZlxafu5+HYmD/RLQ/GU09
MD5:	663DEFD052A2E4ECD1AE5E822A969975
SHA1:	61CCEFF9021DD80FC237F296EC92E492E55D04C1
SHA-256:	8232339AE5F927703B6AA33592A3FBC8FA2B73255F4AA7936FFC4F91BA6B8129
SHA-512:	14FDA7853F4EF48EED945285F5C0359D521A5E5C58318F32229AB41D0BBF6B6BA92FE9D68CE6C52012D0A8C76ABA4EAFE0EE6377B10C4DD812023B745F2FDBE1
Malicious:	false
Reputation:	low
Preview:	krov..N.N...m..g.l=..w.l...M1......;E.T...P..KMuHt.......Y....i"..T...m.i..HZ]^...i+.nn...EN..8..hjO..%.=;....0..V.^......u@...:.^E.ks/4<..1...B.....9.o..X..T..h....7o...8...k.gu.K.......x.3.....k.M..D..[.@7.0.....t...r..0...!.\. ..N...t....LhT.S...,...A...j.F.d....:Om.......yDNv........@~.Cy#M.....w.K..B\|P\|.9I.}.qSuU....F.F#.......!.R.....n..r....w~.:...k.a..\|-...:.h......jV.. }.u.%.M....WG..:.T$@..../.p..O..g..&yV....eZ.-rw....G...../.u:.._.zWy..2.w0@2!............iPV.n]i..a..,..P......n.<....C`.....#.-...8...).r..x....F... ,wG......6.e....`$."..\|=.!..t.A.m.............?.A...^E.#..K..@.\|.....zw........{.X..}..&.=.@.....F.'..Ba1/..B........x~"}.&.z#..U\.`.JVP..p.c.5...H..o....Jp.X. ......`V.....}.......u..W8....&......G(7.....<. ..+.....A.....0......t...j....KY.v..U.S._8.`.v...3........+.k?!.9b.......N..RI...~.".Fm...../.I..RxqO..'u.{(.9.S.t........w.q5I/.D........n....}..x..p..]...Y..W."...?."+&.9.V...........)./m(.H.F... /....i..d.

Process:	C:\Users\user\Desktop\file.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, MZ for MS-DOS
Category:	dropped
Size (bytes):	48919
Entropy (8bit):	7.311295236309583
Encrypted:	false
SSDEEP:	768:+vFgg8W7jwRe/boDnBbyMabmAI49MlDJrwT7hV1negyNXxGSxwlb2aOlaVAen2Q:qJ7IeMDpqG4qlDJET9Vd/l8lT+
MD5:	5108213812AC915AE36B32492B98D9D9
SHA1:	E07EEC67E846A8C9CB86AA85602DD15AA1C8AB92
SHA-256:	0F56EBDC4EF85688A2A2D59424303812CA814C3D2E319178EC53CA7BD5C47766
SHA-512:	DDD7FBDADF1203B6C7E9A2FF4015B799D323DED97B311BA286F5604C9260DCA9ADBE15EBEA2ED12D4DA87C9431651650E39E1E6CF77F511F4BAB15EBC57EC871
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 58%
Reputation:	low
Preview:	MZ@.....................................!..L.!It's .NET EXE$@...PE..L....&.M............................^.... ...@....@.. ....................................@.....................................O....@..\....................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc...\....@......................@..@.reloc.......`.......$..............@..B...........................................................................v2.19@.......H.......d&...............................................................0............%..,....i-....+...........%..,....i-.....+...................XGR......8.........%.X.XG..........-.....c.........XG.b.X.......8....... ...._ .............:]........XJ..........-....c....X... ...._... .............-@....c....._..........-....X... ...._ ....X....a...+....._.X...+}....c....._....E............%...;...+V...?_.X..+K..X... ...._.AX....a..+3.. .?.._ A...X....X.+....XX... ...._ AD..X.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\.curlrc.lczx (copy)

C:\Users\user\AppData\Local\Temp\iofolko5\LYvfxvxpng9iFEWmTnu8xscn.exe

C:\Users\user\AppData\Local\Temp\iofolko5\Sbch6_PQie2h8kt7tM0eSKEd.exe

C:\Users\user\AppData\Local\Temp\lczx.txt

C:\Users\user\AppData\Local\Temp\raw

C:\Users\user\Application Data\.curlrc.lczx (copy)

C:\Users\user\Application Data\Adobe\Acrobat\DC\JSCache\GlobData.lczx (copy)

C:\Users\user\Application Data\Adobe\Acrobat\DC\JSCache\GlobSettings.lczx (copy)

C:\Users\user\Application Data\Adobe\Acrobat\DC\Security\CRLCache\915DEAC5D1E15E49646B8A94E04E470958C9BB89.crl.lczx (copy)

C:\Users\user\Application Data\Adobe\Acrobat\DC\Security\CRLCache\DF22CF8B8C3B46C10D3D5C407561EABEB57F8181.crl.lczx (copy)

C:\Users\user\Application Data\Adobe\Acrobat\DC\Security\ES_session_store.lczx (copy)

C:\Users\user\Application Data\Adobe\Acrobat\DC\Security\ES_session_storei.lczx (copy)

C:\Users\user\Application Data\Adobe\Acrobat\DC\Security\ES_session_storek.lczx (copy)

C:\Users\user\Application Data\Adobe\Acrobat\DC\Security\addressbook.acrodata.lczx (copy)

C:\Users\user\Application Data\Adobe\Acrobat\DC\TMDocs.sav.lczx (copy)

C:\Users\user\Application Data\Adobe\Acrobat\DC\TMGrpPrm.sav.lczx (copy)

C:\Users\user\Application Data\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_9e146be9-c76a-4720-bcdb-53011b87bd06.lczx (copy)

Windows Analysis Report
file.exe